Anatomy of a Breach

Anatomy of a Breach: MGM Resorts and Caesars — Scattered Spider's $100 Million Social Engineering Campaign Against Las Vegas

> series: anatomy_of_a_breach —— part: 177 —— targets: mgm_resorts + caesars —— attacker: scattered_spider —— method: phone_call_to_help_desk —— cost: $100M+<span class="cursor-blink">_</span>_

Hedgehog Security 30 September 2023 15 min read
mgm-resorts caesars scattered-spider social-engineering vishing casino hospitality series
Breach #177

A phone call to the help desk. $15 million paid by Caesars. $100 million lost by MGM. Slot machines, room keys, ATMs — all down.

In September 2023, Scattered Spider — a threat group composed primarily of young, English-speaking hackers — attacked two of Las Vegas's largest casino and hotel operators within days. Caesars Entertainment disclosed that attackers had stolen its loyalty programme database and paid approximately $15 million in ransom (against an initial $30 million demand). MGM Resorts was hit shortly after and refused to pay — resulting in a ten-day operational shutdown across its Las Vegas properties including the Bellagio, Mandalay Bay, Aria, and MGM Grand.

The MGM shutdown was total: hotel room keys stopped working, slot machines went dark, online reservations failed, the company's website went offline, guests queued for hours to check in manually, and even ATMs within the properties were non-functional. MGM estimated the total cost at approximately $100 million in lost revenue and remediation. Both attacks began the same way: a phone call to the company's IT help desk, with the attacker impersonating an employee whose identity had been researched through LinkedIn. The help desk reset the employee's credentials — giving the attackers access to the corporate network.

Vishing at Scale
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

LinkedIn research. A phone call. A password reset. $100 million in damage.

Social Engineering — The Universal Entry Vector
From the <a href="/blog/anatomy-of-a-breach-twitter-hack">Twitter hack</a> (2020, phone call) through <a href="/blog/anatomy-of-a-breach-uber-2022">Uber</a> (2022, WhatsApp) to MGM/Caesars (2023, help desk call) — social engineering of IT support staff has become the dominant initial access technique for sophisticated attackers. Our <a href="/penetration-testing/social-engineering">social engineering assessments</a> include vishing (voice phishing) scenarios targeting help desk and IT support teams.
Help Desk as the Weakest Link
IT help desks are designed to be helpful — which makes them vulnerable to social engineering. The attacker impersonated an employee, provided details found on LinkedIn, and requested a password reset. Help desk identity verification procedures must be robust enough to resist social engineering. Our <a href="/penetration-testing/social-engineering">social engineering testing</a> evaluates help desk verification procedures.
Hospitality: Total Operational Shutdown
MGM's ten-day shutdown affected every aspect of the guest experience — demonstrating that modern hospitality operations are entirely dependent on IT systems. For UK <a href="/blog/sector-under-the-microscope-hospitality">hospitality organisations</a>, the MGM case demonstrates that ransomware can cause complete operational failure. <a href="/penetration-testing/infrastructure">Infrastructure testing</a> assesses operational resilience.
Scattered Spider: Young, English-Speaking, Effective
Scattered Spider is composed primarily of young Western hackers — not the Russian or Chinese state actors that dominate threat intelligence reporting. Their English fluency makes social engineering attacks against English-speaking help desks particularly effective. The barrier to entry for devastating social engineering is age, language skills, and LinkedIn — not technical sophistication. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for the anomalous account activity that follows social engineering compromises.
Lessons

Your help desk is a security control. Test it like one.

The MGM/Caesars attacks proved that IT help desks are critical security controls that must be tested with the same rigour as firewalls and access controls. Identity verification procedures for password resets, account unlocks, and MFA resets must resist social engineering — and the only way to know if they do is to test them. Social engineering assessments test help desk resilience. Cyber Essentials mandates MFA that resists social engineering. SOC in a Box monitors for anomalous password resets and access patterns. And UK Cyber Defence provides incident response when social engineering succeeds.

Help Desk Security

A phone call to MGM's help desk cost $100 million. Would your help desk verify the caller's identity?

<a href="/penetration-testing/social-engineering">Social engineering testing</a> includes help desk vishing. <a href="/cyber-essentials">Cyber Essentials</a> mandates robust MFA. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects post-compromise activity.

Commission a Social Engineering Test Next: 23andMe
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 May 2025

Anatomy of a Breach: UK Retail Under Siege — Co-op Group and Harrods Targeted in the Same Campaign

Breach #197. In May 2025, the coordinated assault on UK retail continued. The Co-op Group — one of the UK's largest retailers with over 2,300 stores — disclosed a significant cyber attack that affected its retail operations and back-office systems. Harrods — the iconic luxury department store — confirmed it had been targeted in an attempted attack that was intercepted. Coming on the heels of the devastating Marks & Spencer breach, the attacks on Co-op and Harrods confirmed that UK retail was under sustained, coordinated targeting — prompting the NCSC to issue specific guidance to UK retailers on defending against the campaign.

co-op harrods
13 min read
Anatomy of a Breach 30 April 2025

Anatomy of a Breach: Marks & Spencer — DragonForce Ransomware Costs £1.9 Billion and Hits UK GDP

Breach #196. In April 2025, Marks & Spencer — one of the UK's most iconic retailers with over 33,000 employees and an estimated 200,000 in its supply chain — was hit by a ransomware attack attributed to DragonForce, leveraging social engineering techniques associated with the Scattered Spider collective. The attack disrupted online sales, in-store contactless payments, click-and-collect services, and supply chain operations for weeks. The Bank of England confirmed the attack had impacted UK GDP growth. The estimated cost exceeded £1.9 billion ($2.5 billion), making it the most expensive cybersecurity breach in British history. The attack was linked to outsourced IT services, underscoring the supply chain dependency that has defined every major UK retail breach.

marks-spencer dragonforce
16 min read
Anatomy of a Breach 31 December 2023

Anatomy of a Breach: 2023 Year in Review — MOVEit, Royal Mail, Scattered Spider, and DNA as Data

Breach #180 and the 2023 finale. The year MOVEit's SQL injection compromised 2,500 organisations and 60 million people, Royal Mail's international post was halted by LockBit, Scattered Spider social-engineered MGM and Caesars for $100 million+, 3CX proved supply chain attacks cascade from supply chain attacks, Barracuda told customers to replace not patch their compromised appliances, the UK Electoral Commission lost 40 million voters' data for two years, 23andMe proved genetic data gets breached too, and ICBC — the world's largest bank — settled US Treasury trades via USB stick after LockBit. Fifteen years of this series. SQL injection is still the dominant vulnerability. Social engineering is still the dominant technique. Patching is still the dominant defence. The root causes have not changed.

year-in-review 2023
16 min read
All Posts Get in Touch