Prevent the Next $100M MGM-Style Breach

How the MGM Breach Happened

In 2023, MGM Resorts International faced a cyberattack that shut down hotel operations, disrupted slot machines and cost the company roughly US$100 million. The attackers, believed to be associated with the Scattered Spider group, did not exploit a technical vulnerability. Instead, they called the help desk.

Attackers collected personal information about an MGM employee from social media and breach databases. They impersonated the employee on the phone, answered security questions and convinced the help‑desk agent to reset the employee’s password and multi‑factor authentication (MFA). With legitimate credentials, they accessed MGM’s network, deployed ransomware and exfiltrated data. This “MGM playbook” illustrates how a single lapse in help‑desk verification can bypass sophisticated security controls.

The Role of Help Desk Social Engineering

Social engineering is at the heart of MGM‑style breaches. Attackers exploit the human desire to help and the urgency of support requests. Key tactics include:

• Impersonation – Attackers use personal data to impersonate employees. They may spoof caller IDs or clone voices to sound convincing.
• MFA reset requests – They request removal of existing MFA devices and enrollment of new ones, often citing lost phones or changed numbers.
• Answering security questions – They answer knowledge‑based questions using publicly available information.
• Uniform processes – Many help desks use the same reset process for all accounts. Attackers target high‑privilege accounts because they follow the same script.

Once the help desk resets MFA, the attacker becomes the legitimate account holder. Traditional detection tools may not flag the breach until damage is done.

Lessons Learned from MGM

The MGM breach offers several lessons:

1. Help‑desk verification is critical – Technical security controls cannot compensate for weak human verification. Attackers will seek out the softest target.
2. Knowledge‑based authentication is outdated – Personal data is widely available. Security questions are no longer effective.
3. Uniform processes create single points of failure – High‑privilege accounts should have stricter procedures, such as multi‑party approval.
4. Attackers invest in research – They gather data and rehearse scripts. Defenders must assume that attackers know personal details.
5. Incident response matters – Prompt reporting and response can minimize damage.

Steps You Can Take Now to Prevent Similar Breaches

To avoid becoming the next MGM, organizations should implement the following measures:

1. Secure identity proofing – Replace knowledge‑based questions with secure identity verification. Require government‑ID scans and device confirmation.
2. Phishing‑resistant MFA – Use hardware security keys or passkeys. Google’s deployment of security keys eliminated employee phishing. Even if attackers reset a password, they cannot authenticate without the key.
3. Scripted workflows and policies – Provide help‑desk agents with scripts that enforce call‑backs to numbers on file and multi‑party approval for high‑privilege accounts. Automate approvals to prevent human error.
4. Zero‑trust principles – Treat every request as untrusted until verified. Verify both the user and the device.
5. Training and simulations – Conduct vishing simulations and training to teach agents how to recognize social‑engineering tactics. Encourage employees to report suspicious calls and repeated MFA prompts. Remind them not to approve unexpected push notifications.
6. Monitoring and analytics – Log all password resets and MFA changes. Use analytics to detect patterns like repeated resets from the same number or unusual times. Investigate anomalies promptly.
7. Incident response plan – Develop a plan for responding to social‑engineering breaches. Include procedures for isolating accounts, notifying stakeholders and restoring services.
8. Board and executive engagement – Brief executives and board members on help‑desk risks. The US Cloud blog stresses that boards must actively engage in cybersecurity governance to prevent operational and reputational harm. Executive buy‑in is essential for resource allocation.

Conclusion

The MGM breach proved that technical security measures can be undone by a single phone call. Attackers exploited help‑desk processes to reset MFA, then used legitimate credentials to infiltrate the network, causing $100 million in damages. To prevent the next MGM‑style breach, organizations must strengthen help‑desk verification, adopt phishing‑resistant MFA, implement zero‑trust principles and educate staff. By learning from MGM’s experience and acting now, you can protect your organization from similar costly attacks.