Hackers Shut Down MGM in a 10-Min Phone Call

Reading Time: 6 min Read
6 min

atosan via Getty Images


Imagine a grand palace, its walls adorned with gold and its halls echoing with the laughter and chatter of its many guests. This palace, MGM Resorts, stands as a testament to luxury, entertainment, and opulence.


But one evening, a charming magician took the stage amidst a grand ball, captivating the audience with his mesmerizing tricks. With every flick of his wand and every wave of his hand, he was not just entertaining; he was silently unlocking the palace’s hidden chambers, accessing its most treasured secrets.


This tale isn’t set in a fantasy realm; it’s the story of a cyberattack, where the magician’s tricks are deceptive tactics, and the palace’s treasures are the invaluable data of MGM Resorts.


On Sept. 10, 2023, a single phone call led to a 72-hour cyber siege on MGM Resorts, compromising millions of transactions and erasing billions in market value.


What We Know?


On September 10, 2023, MGM Resorts, a titan in the casino industry with a presence in over 30 countries, faced a crippling cyber incident. This wasn’t a brief hiccup but a systematic attack lasting 72 hours.


Here’s a breakdown of the cyberattack’s impact on MGM’s operations:


  • Corporate Communication: MGM’s corporate email systems, which handle an average of 500,000 emails daily, were paralyzed, disrupting both internal and external communications.


  • Customer Services: The hotel booking systems, responsible for approximately 20,000 daily reservations, went offline. This led to a potential revenue loss of around $5 million per day, considering the average room rate of $250. Restaurant reservations, which average 8,000 bookings daily, were also affected, leading to an estimated daily revenue loss of $320,000, given an average spend of $40 per reservation.


  • Digital Access: The digital room keys system, a modern convenience used by 85% of MGM’s guests, malfunctioned. This left over 34,000 guests (considering MGM’s average daily occupancy of 40,000 guests) stranded outside their rooms, leading to a logistical nightmare and increased manual workload for the staff.


  • Financial Impact: The cyber incident had immediate financial repercussions beyond the operational challenges. MGM’s share price, which stood at $95 before the attack, plummeted by 6.3%, wiping out nearly $3 billion in market value.



Historical Context — This September 2023 incident was significant but wasn’t MGM Resorts’ first brush with cybersecurity challenges. In 2020, the company faced a data breach that exposed the personal details of 10.6 million customers, representing nearly 25% of their customer base. This breach had cost the company an estimated $200 million in settlements, legal fees, and system upgrades.


How Did This Attack Happen?

Las Vegas Review-Journal via Getty Images


Cyberattacks, especially on entities as large as MGM Resorts, are rarely straightforward. They are often the result of meticulous planning, exploiting multiple vulnerabilities over time.


From what public information we have so far, here is what happened:


  • Initial Breach via Social Engineering: The primary entry point for the attackers wasn’t a sophisticated zero-day exploit or a brute force attack. Instead, it was a seemingly innocuous 10-minute phone call. Before making the call, the attackers gathered information about MGM’s organizational structure, identified vital personnel, and studied their habits and communication styles.


    Posing as an IT technician or a vendor, they initiated a phone call to a targeted MGM employee. Under the guise of troubleshooting a technical issue or verifying system details, they convinced the employee to divulge sensitive information or perform specific actions, such as clicking on a malicious link.


  • Lateral Movement and Exploitation: With initial access secured through social engineering, the attackers began ‘lateral movement.’ They explored the internal systems, seeking out vulnerabilities and higher-level access credentials.


    Over four months, they escalated their privileges, gaining access to critical systems, including the central reservation system, email servers, and the digital key management system.


  • ALPHV Ransomware Deployment: The attackers deployed the notorious ALPHV ransomware, known for its stealthy operations and devastating impact. This ransomware encrypts vital data and has mechanisms to evade detection by standard cybersecurity tools.


    The ALPHV ransomware reportedly used advanced social engineering tactics, enhancing its effectiveness. For instance, it might display fake system update notifications or security alerts, tricking users into granting it more access or downloading additional malicious payloads.


  • Data Harvesting: Before the widespread disruptions, cybercriminals harvested valuable data. This included guests’ personal information, financial transaction records, and proprietary company data. It’s estimated that data from over 5 million transactions was siphoned off during this phase.


  • The Final Blow: With valuable data in their possession and control over critical systems, the attackers initiated the final phase of their operation. They deployed ransomware across MGM’s network, encrypting vital data and rendering critical systems inoperable.


  • External Factors: Intelligence suggests that the attackers were part of a larger cybercrime syndicate with ties to state-sponsored entities. This affiliation provided them with sophisticated tools and resources, making their operation highly coordinated and effective.

Our Key Takeaways

Katie Malone for Engadget


1. The Human Element Remains the Weakest Link

The MGM Resorts cyberattack underscores a fundamental truth in cybersecurity: even with the most advanced technical defenses, human psychology remains a significant vulnerability. The breach initiated by a mere 10-minute phone call is a testament to this.


Organizations must prioritize regular cybersecurity training for all employees. It’s not just about having the best firewalls or the most advanced intrusion detection systems; it’s about ensuring every individual understands the dangers of social engineering tactics and acts as a vigilant gatekeeper.


2. The Rise of Sophisticated Ransomware

The deployment of the ALPHV ransomware in the MGM attack highlights the evolving and increasingly sophisticated nature. Ransomware has evolved from simple data encryption tools to stealthy, socially engineered weapons that bypass traditional defenses.


Organizations must stay updated with the latest threat intelligence, ensuring they adopt proactive defense strategies, including regular system patching, network segmentation, and advanced threat detection mechanisms.


3. The Blurring Lines Between Cybercrime Syndicates and State Actors

The potential ties of the attackers to state-sponsored entities in the MGM breach suggest a worrying trend. The lines between independent cybercrime syndicates and nation-state actors are blurring, leading to more coordinated, sophisticated, and potentially politically motivated attacks.


This means that the stakes are higher than ever. Cyberattacks can have geopolitical implications, and organizations might find themselves inadvertently caught in more extensive power plays.



4. The Need for Comprehensive Incident Response Plans

MGM Resorts’ response to the attack, regarding system recovery and public communication, played a crucial role in damage control.


From an expert’s viewpoint, having a well-documented and regularly updated incident response plan is non-negotiable for any organization. It ensures swift and effective action when an attack happens, minimizing damage and restoring trust.



5. The Future of Cybersecurity

The MGM Resorts incident is a snapshot of the broader cybersecurity landscape, characterized by increasing frequency and sophistication of attacks.


The future of cybersecurity lies in a combination of advanced technical solutions, continuous employee training, international cooperation, and stringent regulations. Organizations must adopt a holistic approach, understanding cybersecurity is an ongoing journey, not a destination.



Bridget Bennett/Bloomberg


As the magician’s final act concludes and he vanishes into the night, the palace stands, its aura altered but its foundations intact.


The MGM Resorts incident is a stark reminder that even the most magnificent palaces can be fooled by charm and illusion. The human element, as showcased by the captivating magician, remains a profound vulnerability, even in a fortress as grand as MGM.


The sophisticated tactics, reminiscent of the ALPHV ransomware’s stealth, highlight the evolving nature of threats in our digital age.


But every magic show has its final curtain call, no matter how spellbinding. And with its end comes an opportunity for introspection, learning, and reinforcement.


The story of MGM is not merely a tale of enchantment gone awry but a rallying cry for the future. It underscores the need for continuous vigilance, both in terms of technical defenses and human awareness.


As we reflect on the lessons from MGM’s saga, we’re reminded that in this digital era, it’s not just about safeguarding data; it’s about preserving trust, legacy, and the essence of our connected world. Let this incident be a beacon, illuminating the path forward and urging organizations worldwide to fortify their defenses and champion the cause of cybersecurity.



Note: This blog post is based on information available as of Sept 13, 2023, from various news sources. The situation might evolve, and readers are advised to stay updated through official channels.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent Insights

Join Thousands of weekly reader

Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.

This field is for validation purposes and should be left unchanged.