
Mohammad Ashraful Islam
7 Oct 2023
The Human Hack Factor: A $100 Million Lesson from MGM Resorts’ Cyberattack
Table of Contents:
I. The Attack
II. The Human Hack Factor
III. The Cost of the Attack
IV. Lessons Learned
V. Conclusion
In the digital age, cybersecurity is a top priority for businesses worldwide. However, even the most robust IT security measures can be undermined by a single human error. This was the harsh lesson learned by MGM Resorts, a prominent casino chain, when it fell victim to a cyberattack that cost an estimated $100 million1
The Attack

The Human Hack Factor
The attackers, known as Scattered Spider, didn’t exploit a technical vulnerability in MGM’s systems12. Instead, they used social engineering techniques to manipulate an MGM employee into providing them with access credentials12. This method of attack, known as “vishing,” involves making a convincing phone call to gain access to systems12.
Scattered Spider is believed to have been founded in May 20222. The group utilized SIM swap scams, multi-factor authentication fatigue attacks, and phishing by SMS and Telegram2. They exploited the security bug CVE-2015-2291, a cybersecurity issue in Windows’ anti-DoS software2, to terminate security software, allowing the group to evade detection2.
In this case, Scattered Spider found an employee’s information on LinkedIn and impersonated them in a call to MGM’s IT help desk to obtain credentials to access and infect the systems12.

The Cost of the Attack
Lessons Learned
This incident serves as a stark reminder of the importance of robust cybersecurity measures for all organizations. It also highlights the potential risks associated with social engineering attacks and the need for continuous vigilance and training to prevent such breaches.
Key takeaways include:
- Human Factor: Even with strong IT security measures in place, human error can still lead to significant breaches.
- Social Engineering: Techniques like vishing can be highly effective. Continuous training and awareness are crucial to mitigate these risks.
- Publicly Available Information: Information shared online can be used by attackers. Employees should be cautious about what they share on platforms like LinkedIn.
Conclusion
The MGM Resorts cyberattack underscores that cybersecurity is not just about technology; it’s also about people. As business leaders, it’s crucial to invest in continuous training and awareness programs for employees to complement technical security measures. After all, in cybersecurity, the human factor can be both the weakest link and the strongest defense.