The MGM Cyber Siege
MGM Resorts International (NYSE: MGM) is a global powerhouse in gaming and hospitality, operating 31 hotel and gaming destinations worldwide, including iconic Las Vegas landmarks like Bellagio and Mandalay Bay.
In September 2023, MGM fell victim to a devastating ransomware attack that disrupted operations, exposed sensitive data, and ultimately cost the company over $100 million. Combined with a 2019 data breach, the incidents affected over 37 million guests, resulting in widespread litigation and a $45 million class action settlement.
First time seeing this?
The Incident
On September 10, 2023, MGM Resorts began experiencing significant system outages. By September 11, the company confirmed a “cybersecurity issue” and initiated emergency response measures. Within days, guests reported being locked out of rooms, unable to use slot machines, ATMs, or digital services. Staff reverted to pen-and-paper operations across multiple properties in Las Vegas and beyond.
This attack followed a similar breach at Caesars Entertainment, believed to be perpetrated by the same group. While Caesars reportedly paid a $15 million ransom, MGM refused, opting instead for a full rebuild of its systems, a move that led to nearly a week-long disruption.
The Hack
The attack was orchestrated by Scattered Spider, a cybercriminal group known for sophisticated social engineering and vishing (voice phishing), in collaboration with ALPHV/BlackCat, a ransomware-as-a-service (RaaS) syndicate.
The intrusion began when attackers impersonated MGM employees over the phone, tricking help desk staff into resetting credentials. Once inside, they escalated privileges to admin-level access in MGM’s Okta and Azure environments, bypassing weak or fatigued multi-factor authentication (MFA) protections.
Over 100 ESXi hypervisors were encrypted with ALPHV’s ransomware, effectively paralyzing MGM’s infrastructure. Later on, Scattered Spider claimed to have exfiltrated 6 terabytes of sensitive data, including guest and employee records.
The Impact
The fallout from these cyberattacks has been extensive:
Operational Disruption:
Slot machines, hotel room keys, ATMs, and payment systems failed across more than 30 properties.
Guests experienced long lines, check-in delays, and service interruptions.
The MGM mobile app and reservation systems were offline for nearly a week.
Financial Fallout:
MGM reported $100 million in losses to its Q3 2023 EBITDA due to the incident.
The company incurred an additional $10 million in IT and legal expenses.
The total cost, including cleanup and consulting, is estimated to exceed $110 million.
Data Compromised:
The breach affected over 37 million individuals, exposing:
Names, dates of birth, and contact details
Social Security numbers
Driver’s license, military ID, and passport numbers
Stock Price Drop:
MGM’s stock fell 4.1% within two trading days of the incident going public.
The Response
Immediate Action: MGM shut down vulnerable systems, launched an investigation, and engaged the FBI, Nevada Gaming Control Board, and third-party cybersecurity firms.
Restoration Timeline: Systems began recovery on September 14 and were fully restored by September 20.
Customer Support: MGM created a dedicated portal (mgmsettlement.com) to notify victims and handle claims.
Security Overhaul: MGM committed to investing $40 million in long-term IT and cybersecurity improvements, including enhanced MFA and access controls, network segmentation, intrusion detection upgrades, encryption of sensitive data, and employee training to combat social engineering.
Legal and Regulatory Fallout
Class Action Settlement: In January 2025, MGM agreed to a $45 million settlement covering both the 2019 data breach and the 2023 ransomware attack. Affected individuals will receive:
$75 (Tier 1): SSNs or military IDs compromised
$50 (Tier 2): Passport or driver’s license leaked
$20 (Tier 3): Basic identity data exposed
Up to $15,000 for documented identity theft damages
One year of free credit monitoring
FTC Investigation and Lawsuit:
The Federal Trade Commission issued a Civil Investigative Demand (CID) to MGM in January 2024.MGM filed a lawsuit to block the CID, arguing FTC overreach and citing a potential conflict of interest due to FTC Chair Lina Khan being an MGM guest during the breach. In February 2025, the FTC withdrew its CID following a change in federal administration, ending the legal battle.
What to Do If You’ve Been Affected
For Individuals:
Claim Compensation: Visit mgmsettlement.com to check eligibility and file claims before the June 18, 2025 final approval hearing.
Enroll in Credit Monitoring: Use the free monitoring services offered as part of the settlement.
Monitor Financial Accounts: Watch for identity theft, fraudulent charges, or account changes.
Place a Fraud Alert or Credit Freeze: Contact Equifax, Experian, and TransUnion for extra protection.
For Businesses: Lessons from MGM Resorts
Prioritize Social Engineering Defense: Scattered Spider gained access via vishing. Train all staff, especially help desks, to detect and resist impersonation tactics.
Strengthen MFA Resilience: Use phishing-resistant MFA and monitor for MFA fatigue attempts.
Implement Network Segmentation: MGM’s lateral compromise across hypervisors exposed a lack of internal boundaries. Segment critical assets.
Enhance Incident Response Plans: Include manual backup procedures, public communication protocols, and law enforcement coordination.
Communicate Transparently: Publicly acknowledging incidents and updating victims early can reduce reputational damage.
Don’t Rely on Legal Shields: MGM’s battle with the FTC shows that post-breach legal scrutiny is intense, even if ultimately dropped.
What This Means Moving Forward
The MGM breach is now one of the most consequential ransomware attacks in hospitality history. It showcases the real-world fallout from modern, multi-vector cybercrime: data loss, operational disruption, regulatory probes, reputational damage, and massive financial cost.
As digital infrastructure becomes inseparable from guest experiences, security cannot be treated as an afterthought, it must be embedded, tested, and continuously improved.
This case is a wake-up call to the hospitality and entertainment industry:
If one phone call can take down a billion-dollar brand, your frontline is your last line of defense.
Stay tuned as we uncover more real-life digital horrors on Cybercrime Stories.
Subscribe and Comment.
Copyright © 2026 911Cyber . All Rights Reserved.
Follow 911Cyber on: