In September 2023, the bright lights of Las Vegas dimmed for a moment—not due to a power outage, but a sophisticated cyberattack that brought two of the Strip’s giants, MGM Resorts and Caesars Entertainment, to their knees.
The culprit? A cybercriminal group known as Scattered Spider. This wasn’t your typical smash-and-grab; it was a masterclass in social engineering that exposed vulnerabilities far beyond technical safeguards.
Who is Scattered Spider?
Scattered Spider, known for tactics like “vishing” (voice phishing), didn’t brute-force their way in. They researched employees meticulously, then impersonated them in calls to internal IT help desks. Using persistence and manipulation, they tricked support staff into handing over login credentials—often by exploiting multi-factor authentication (MFA) fatigue.
In some cases, employees received an overwhelming number of MFA prompts and, in frustration, approved one, unknowingly granting attackers full access.
The Fallout: MGM Resorts & Caesars Entertainment
The consequences were swift and devastating:
MGM Resorts:
-
Casino floors went dark.
-
Digital room keys stopped functioning.
-
Online booking systems crashed.
-
Restaurant reservations vanished.
-
Guests waited hours to check in.
The incident involved collaboration with another threat group—ALPHV (BlackCat) ransomware operators. MGM took a hardline stance and refused to pay the ransom. Still, they suffered over $100 million in losses, with disruptions affecting both operations and customer trust.
Caesars Entertainment:
Here, the attack vector was different—a third-party IT vendor. But the outcome was just as severe. Scattered Spider exfiltrated sensitive data from a loyalty programme database, including driver’s licence numbers and Social Security information.
Unlike MGM, Caesars reportedly paid a ransom of $15 million, halving the original $30 million demand in hopes of preventing the leak of customer data.
Lessons for the Industry
These attacks served as a powerful reminder that:
-
Human error is a critical vulnerability in any system.
-
Social engineering can bypass even robust technical safeguards.
-
Cybersecurity training for all employees—not just IT—is essential.
-
Multi-factor authentication must be configured to prevent abuse (e.g. limiting prompts).
-
Incident response plans must account for internal deception and third-party breaches.
Cybersecurity Training That Prepares You for Real Threats
If these stories highlight anything, it’s this: today’s threats don’t just target networks—they target people.
Want to gain the skills needed to defend organisations against this level of attack? Consider starting with the following certifications:
Weekly Cybersecurity Webinar – Join Us Live
Every Wednesday at 6:15 PM, we host a live cybersecurity career webinar.
Learn how to enter this critical industry, get certified, and start your journey toward becoming a cyber professional.
Conclusion
In the cat-and-mouse game of cybersecurity, it’s no longer enough to rely on firewalls and antivirus. The Las Vegas attacks of 2023 are a stark reminder that the real battlefield lies in human psychology and strategic deception. Whether you’re an aspiring cybersecurity professional or an enterprise leader, staying informed—and prepared—is no longer optional.