MGM Resorts 2023: ~$100M from a 10-minute phone call.

The MGM intrusion required no malware exploit and no stolen credential. According to widely-reported accounts and the threat actor's own statements, members of Scattered Spider (also tracked as UNC3944 and associated with the "Oktapus" phishing crews) identified a current MGM employee on LinkedIn, called MGM's IT help desk impersonating that employee, and talked the help desk into resetting access. The call reportedly lasted about ten minutes. With that reset, the attackers obtained elevated privileges in MGM's Okta identity platform and Azure cloud tenant.

Scattered Spider partnered with the ALPHV/BlackCat ransomware-as-a-service operation to monetise the access. MGM disclosed a "cyber security incident" on 11 September 2023. Rather than pay a ransom, MGM took large portions of its environment offline to contain the attack. The decision protected MGM from funding the criminal operation but produced an extended, highly visible operational outage across its casino and hotel estate.

The contrast with Caesars Entertainment, hit by the same threat-actor ecosystem around the same time, is instructive. Caesars reportedly paid roughly half of a ~$30 million ransom demand (about $15 million) and avoided a comparable public outage. MGM refused and absorbed the operational cost instead. The two responses became a paired case study in the economics of paying versus refusing.

The headline ~$100 million is the negative impact to Adjusted Property EBITDAR that MGM disclosed for the affected quarter, not a cash outflow in the sense of a fine or settlement; it reflects lost gaming and hotel revenue during the outage. MGM separately disclosed under $10 million in one-time response costs and expected its cybersecurity insurance to substantially cover the impact. The $45 million class settlement, preliminarily approved in early 2025, covers both the 2023 ransomware breach and an earlier 2019 MGM data exposure.

MGM stated that the attackers obtained personal information belonging to some customers who had transacted with MGM before March 2019. The exposed fields included names, contact information, gender, dates of birth, and driver's license numbers, and for a smaller subset of customers, Social Security numbers and passport numbers. MGM emphasised that it had no evidence the attackers used the data for identity theft or account fraud, and that customer passwords, bank account numbers, and full payment-card numbers were not in the affected systems.

A precise count for the 2023 incident alone is not cleanly broken out in public disclosures, because the customer data implicated overlapped with the population affected by MGM's earlier 2019 breach. The consolidated class action that produced the $45 million settlement estimated approximately 37 million people affected across both the 2019 and 2023 incidents combined. Reporting the 2023 figure as a standalone number would overstate precision; the accurate framing is that the 2023 data theft drew from MGM's pre-March-2019 customer records and was litigated jointly with the 2019 exposure.

In January 2025 a federal judge in the District of Nevada granted preliminary approval to a $45 million settlement resolving consolidated class-action claims over MGM's 2019 and 2023 data breaches. The settlement structure offered tiered cash payments scaled to the sensitivity of the data exposed, with reported tiers around $75 for the most sensitive categories (such as Social Security or military identifiers), $50 for passport or driver's license exposure, and smaller amounts for less sensitive data, plus an option for identity-theft protection and credit monitoring, with a per-person maximum for documented losses reported up to $15,000.

The MGM case crystallised the strategic question every ransomware victim now faces. MGM refused to pay and absorbed roughly $100 million in lost EBITDAR from the outage; Caesars paid roughly $15 million and avoided the public shutdown. Neither outcome is obviously cheaper once reputational effects, insurance, regulatory scrutiny, and the moral hazard of funding criminal groups are weighed. The pairing is now standard teaching material for boards weighing ransomware response policy in advance, because the decision must be made under time pressure during an active incident if it is not pre-decided.

The MGM breach moved help-desk social engineering from a theoretical concern to a board-level priority. The attackers defeated MGM's technical controls not by breaking them but by persuading a human with reset authority to bypass them. The defensive response that the case has driven is stronger identity-verification procedures for any privileged-access reset: call-back verification, manager approval, knowledge that cannot be scraped from LinkedIn, and removing the help desk's ability to unilaterally reset MFA for high-privilege accounts.

The second lesson is the cost geometry of an outage versus a settlement. The dominant cost of the MGM incident was not a fine or a ransom but ten days of lost casino and hotel revenue, roughly $100 million, far exceeding the under-$10-million response cost and even the $45 million class settlement that came later. For revenue-dense, real-time operations like casinos, airlines, and retail, operational downtime is the principal breach cost, which changes the calculus on resilience, segmentation, and recovery-time investment relative to industries where notification and settlement dominate.