MGM 2023: When a Ten-Minute Phone Call Shut Down the Las Vegas Strip

What Failed

The attack began with reconnaissance, not technology. Scattered Spider identified a current MGM employee through LinkedIn, gathered enough personal detail to impersonate them convincingly, and called MGM's IT help desk requesting assistance with account access. The call lasted ten minutes. By the end of it, the attackers had been granted the credentials they needed.

From that initial foothold, the attackers escalated to administrator-level access in MGM's Okta identity platform and Azure cloud environment. Okta is the system that controls who can access what across the enterprise. With administrator privileges, the attackers had leverage over the identity layer that underpinned MGM's entire operational technology stack. They deployed ALPHV/BlackCat ransomware and began exfiltrating data. Scattered Spider later claimed to have extracted six terabytes of information from MGM's systems.

MGM detected the intrusion and made the decision to shut down affected systems. That decision was the right call for containment. It was also the beginning of a public operational crisis that would play out on the Las Vegas Strip for the next ten days.

Why the Impact Was Immediately Visible

Most cyberattacks create damage that is initially invisible to customers. Data breaches are discovered weeks later. Ransomware encrypts back-end systems that the public never sees. The MGM incident was different. The moment MGM shut down systems to contain the threat, the disruption became instantly visible to thousands of guests, staff, and the global media.

Hotel check-in systems went offline. Digital room keys stopped working. Casino slot machines displayed error screens. The MGM Resorts website and mobile app became unavailable. Reservation systems could not process bookings. Loyalty programme access was lost. Payment processing was disrupted. Guests arriving at MGM properties on the Las Vegas Strip encountered queues, manual workarounds, and staff who could not access the systems they needed to do their jobs.

Social media amplified the disruption in real time. Guests posted photos of darkened slot machine screens, handwritten room key receipts, and long check-in lines. The story moved from social media to mainstream news within hours. MGM's crisis was being narrated publicly before the company had completed its own assessment of what had happened.

This is the dynamic that makes MGM strategically important for resilience leaders in any customer-facing industry: the gap between the onset of disruption and the ability to explain it. When customers experience the failure before leadership can communicate about it, the narrative is set by the most visible symptoms, not by the company's response.

The Containment-Versus-Continuity Trap

MGM's decision to shut down systems was not a failure. It was the responsible choice. When an attacker has administrator access to your identity platform, continuing to operate means continuing to operate under the attacker's potential control. Shutting down reduces the blast radius and buys time to assess the scope of the compromise.

But the decision to contain creates its own crisis. Every system taken offline is a customer experience degraded, a revenue stream interrupted, and a public signal that something is seriously wrong. Leadership teams face a brutal tradeoff: accept ongoing risk to maintain operations, or accept certain operational damage to reduce uncertain security exposure.

This is the decision that most organisations have never practised making. They have incident response plans that describe containment steps. They have business continuity plans that describe how to maintain operations. What they rarely have is a rehearsed process for the moment when those two plans directly conflict — when the containment action is the continuity disruption, and leadership must decide in real time how much visible damage to accept in order to regain control.

The Decision Timeline

The total cost of the shutdown was approximately $100 million in third-quarter losses, plus additional costs for forensic investigation, legal proceedings, and a reported $40 million commitment to cybersecurity improvements. MGM refused to pay the ransom. Caesars Entertainment, which was hit by the same group around the same time, reportedly paid approximately $15 million. Both approaches carried consequences. Neither eliminated the damage.

What the Incident Exposed

Identity is the control plane, not a perimeter layer. The attackers did not exploit a zero-day vulnerability or breach a firewall. They called the help desk, pretended to be an employee, and were given the keys to the kingdom. Once they had administrator access to the identity platform, they effectively controlled what every system in the enterprise could do. Identity compromise at the administrative level is not a user-account problem. It is an enterprise-control problem.

Social engineering defeats technology controls. MGM had security technology deployed. What it did not have was a help desk process that could withstand a determined social engineering attack. The attacker needed only one successful call to bypass layers of technical security. This is not a training problem. It is a process-design problem. Help desks that rely on knowledge-based verification (name, employee ID, manager name) are vulnerable to anyone who can gather that information from public sources.

Customer-facing businesses lose control of the narrative immediately. In industries where the customer is physically present during the disruption — hospitality, retail, healthcare, transportation — the incident is documented by the customer in real time. By the time leadership has a statement ready, thousands of social media posts have already defined what happened. The communications challenge is not crafting the right message. It is responding to a narrative that is already moving faster than the investigation.

Containment and continuity are in direct tension. The decision to shut down systems was correct from a security perspective and devastating from an operations perspective. Most organisations have not rehearsed the moment when these two imperatives collide. They discover the conflict live, under pressure, with no prior experience to guide the tradeoff.

The Resilience Lens

The conventional analysis of MGM focuses on help desk controls, MFA gaps, and identity platform hardening. Those are legitimate takeaways. But the resilience lesson goes deeper.

MGM demonstrated what happens when an identity compromise at the administrative level forces a real-time choice between continued exposure and deliberate operational shutdown, and that choice plays out in front of customers, media, regulators, and the market simultaneously. That is not a cybersecurity problem. It is a leadership problem.

The organisations that will handle the next identity-driven crisis well are not the ones with the best identity platforms, although that matters. They are the ones whose leadership teams have already practised the moment when security says "shut it down" and operations says "we have a building full of customers." The decision that follows, and the speed and clarity with which it is communicated, is what separates a managed incident from a public disaster.

What Boards Should Be Asking

After MGM, the natural response was to audit help desk procedures and identity platform controls. Necessary. But not sufficient.

• Could a single social engineering call to our help desk give an attacker administrator access to our identity platform today?
• If we had to shut down customer-facing systems to contain an active threat, which operations would fail first, and how would we manage thousands of affected customers in real time?
• Has our leadership team ever rehearsed the containment-versus-continuity decision — the moment when the security response and the business response directly conflict?
• How quickly can we issue a credible public statement when the disruption is already visible on social media, and the investigation is still in its first hours?
• Do we know the financial cost per day of a full operational shutdown, and has that number informed our crisis decision-making thresholds?

If the answer to most of these is "we haven't tested it," then MGM is a direct warning. A ten-minute phone call was enough to create a ten-day, $100 million public crisis. The sophistication of the attack was low. The consequences were enormous. The difference between the organisations that survive this pattern and those that do not is whether leadership has practised the decisions before they have to make them in public.

Conclusion

The MGM attack was not sophisticated. It was effective. A threat group used publicly available information and a phone call to compromise an identity platform, deploy ransomware, and force one of the largest hospitality companies in the world to shut down operations on the Las Vegas Strip for ten days. The financial damage was $100 million. The reputational damage played out in real time on social media and global news coverage.

The lesson is not confined to hospitality or gaming. It applies to every organisation where identity systems control access to operational technology, where customers are physically present during disruptions, and where the decision to contain a threat means accepting visible, immediate business damage. That describes most enterprises.

The organisations that will handle the next identity-driven crisis well are not the ones that assume it cannot happen to them. They are the ones whose leadership teams have already sat in a room, faced the containment-versus-continuity tradeoff, and discovered what they would actually decide — before the decision had to be made with the world watching.