Massive Cyber Attacks on MGM Resorts & Caesars Entertainment Explained

Date: 18 September 2023

Casino and Hotel companies MGM Resorts International and Caesars Entertainment have been dominating news headlines in the past few days. Unfortunately, the reasons aren't worth celebrating.  

The MGM Resorts cyber attack is crippling properties across Las Vegas and other locations. Customers are complaining of slot machines going dark, key cards behaving erratically, ATMs becoming inert and troubles in cashing out winnings. 

In the case of Caesars, the cyber attack has led to the sensitive information of many loyalty programme members being compromised. Some reports are suggesting that Caesars has paid off half of the huge ransom that hackers demanded to prevent leak of the information stolen. It’s important to note here that MGM was also attacked earlier in 2019 and data of 10.6 million customers was breached and published online. 

These two cases are yet again reiterating that the scourge of ransomware will continue to rear its ugly head at an accelerated pace year after year. Cybersecurity issues that affect casinos and hotel rooms make for even more pronounced drama and attention - one of the many motivations that cyber threat actors usually have. 

Not to mention the huge sums of money that are up for grabs along with tonnes of data. Historically, casinos aren’t secured as well as perhaps financial institutions, tech firms or even healthcare organisations, making matters more complicated.     

In this blog, we quickly aim to break down what exactly happened in the attacks on MGM Properties and Caesars Entertainment. We’ll also be publishing a detailed timeline into these sophisticated and news-making attacks as part of our ongoing Cyber Attack Timelines initiative. 

New call-to-action

The MGM Resorts Cyber Attack - What We Know So Far

On 11th September, 2023, news began to surface that MGM Resorts had been affected by a cybersecurity issue and its online systems were behaving erratically, causing a range of inconveniences to customers. 

Next, unverified reports began to emerge about who the threat actors were and many alleged that ALPHV/BlackCat Ransomware Gang was to be blamed. TechCrunch reported that a subgroup of ALPHV known as Scattered Spider, is actually behind the attack. 

They also apparently admitted to using sophisticated social engineering tactics to get the better of MGM. They called the company’s helpdesk with an employee’s information found on LinkedIN and managed to access that employee’s account to get entry into the company’s network.     

The hackers claim that they managed to get into MGM’s Okta platform which connects directly to the Active Directory. Okta’s Chief Security Officer, David Bradbury, said that his company had issued a threat advisory in August against attacks of this nature on some of its customers. 

This particular attack has raised specific concerns about the weakest link in the cybersecurity chain - the human factor. Despite the most sophisticated of security technologies, human error remains a prominent threat that there is no sure shot way to prevent. 

Providing high-quality cybersecurity training appears to be the only way to raise awareness and offer at least a certain degree of protection against social engineering attacks. The incident also highlights the need for improved Cyber Incident Response Planning. Ransomware attacks are here to stay and if they can run this kind of wreckage on casino floors more often, the industry is likely to face severe financial repercussions.  

cyber tabletop scenarios

Caesars Entertainment Cyber Attack 

Just as stories of the chaos at MGM’s signature properties started doing the rounds, another significant news story broke. Caesars, which runs over 50 properties including the famous Caesars Palace, acknowledged that it too had been victim of a cyber attack. 

In its filing with the United States Securities Exchange Commission, the company said that it had also been a victim of a social engineering attack on its IT support vendor. 

As per several news sources including BleepingComputer, Caesars implied in its 8-K filing with the US SEC that it had paid at least a part of the ransom demanded. 60814857_m_normal_none (1)

The form states: “We have taken steps to ensure that the stolen data is deleted by the unauthorised actor, although we cannot guarantee this result.” A Wall Street Journal report claims that the casino chain allegedly paid $15 million - half of the $30 million that was initially demanded. 

In the case of Caesars, apparently, only the data of Loyalty Programme customers was compromised. It did not disrupt its online or physical customer-facing operations like in the case of MGM. 

Lessons Learned from the MGM & Caesars Attacks 

The back-to-back attacks on two of the largest and most popular Casino and Hotel chains in the world have received exactly the kind of attention that the hackers probably vied for. 

Apart from the enormity of the damage the attacks have caused - customer services in one case and a hefty ransom in the other - these incidents also contain overwhelming lessons in cybersecurity.  

Experts across the globe have been sharing their view on what we can take away from these cybersecurity attacks. We sum them up for you here: 

  • Ransomware Preparedness: Ransomware attackers are not sparing anyone. You could most certainly be next. Is your team prepared to handle an attack of this nature? Do you have an executive-level decision on how you’ll deal with ransom demands (because it’s never recommended to pay)? These are basic questions all businesses should be asking in the wake of these two attacks. Download our Ransomware Response Guides for immediate help.  

  • Stronger Systems for Employee Identification: There’s no two ways about this. You need to ensure that when a hacker calls up your company’s help desk with credentials that are easily available online, they aren’t given a smooth passage into your Active Directory. Multi-factor authentication, limited global access to Okta, separate directories for admin logins and critical infrastructure are just some of the steps that must be taken urgently.   

  • Incident Response Plans: A solid Cyber Incident Response Plan is absolutely critical to a business’s survival in the hostile threat landscape we inhabit. If your business is similarly brought to its knees, what will you do? Do you have the necessary protocols in place to inform law enforcement? Who will deal with the media’s persistent request for comments? What steps will you take to salvage your computer systems as fast as possible? An Incident Response Plan details all of these and can seriously act as a buffer to the big blow of a cyber attack.  

  • Regular Cyber Tabletop Drills: Just having a cyber Incident response plan, however, is never enough. All the important stakeholders and decision-makers must be aware of its contents. More importantly, they should regularly rehearse simulated attack situations and develop a kind of muscle memory for the steps in the IR plan. Only through regular Cyber Attack Tabletop Exercises will they be able to act instinctively and wisely in a stressful ransomware situation. 
  • Incident Response Specialists on Call: In an emergency situation as vicious as the one MGM is facing, it can really help to have expert Cybersecurity Specialists on call. Incident Response Retainers can swoop in and help you mitigate the damage as far as possible. They can also help you get critical business operations back on track faster than you might be able to do internally. 

In the end, it’s important to remember that no organisation willfully attracts a cyber crime of this nature. They probably did everything they felt was necessary to feel secure, given the volumes of money they make and trade in. These attacks are then the clarion call that we do receive every few months - no matter which industry you operate in, prioritise your cybersecurity like your business depends on it. 

Put in place the necessary security protocols, plans and communication templates you need. Identify and enlist cybersecurity consultants that will work for you. Don’t make business continuity and disaster recovery an after-thought. The attackers are coming and your only real protection is preparation!   

New call-to-action



New call-to-action

Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:

  • Or call us on:
  • +44 (0) 203 189 1422
yt-1