MGM Resorts Data Exfiltration: How Social Engineering Led to $100M in Damages

Attack Timeline and Data Exfiltration

The MGM attack followed a precise escalation path from social engineering to full domain compromise to mass data exfiltration. Scattered Spider — working with the ALPHV/BlackCat ransomware-as-a-service operation — used credentials obtained through the helpdesk call to access MGM's Okta identity provider. From there, they moved laterally using legitimate administrative tools, avoiding traditional malware detection entirely. The group exfiltrated customer personally identifiable information before deploying ALPHV's ESXi encryptors against MGM's virtualisation infrastructure.

• September 8: Social engineering call resets MFA for a compromised employee identity
• September 8–9: Attackers pivot from Okta to Active Directory, escalate to domain admin
• September 9–10: Lateral movement across MGM's network using legitimate admin tools
• September 10: Customer data exfiltration begins — SSNs, passports, driver's licences extracted
• September 10–11: ALPHV ransomware deployed against ESXi hypervisors
• September 11: MGM takes systems offline — casinos, hotels, restaurants all affected
• September 20: Full operations restored after 10 days of disruption

What Data Was Exfiltrated

MGM's SEC filing confirmed that attackers exfiltrated personal information belonging to customers who transacted with MGM before March 2019. The stolen data included full names, phone numbers, email addresses, postal addresses, dates of birth, gender, driver's licence numbers, Social Security numbers, and passport numbers. For a subset of customers, the breach also included loyalty programme information, which could be used for targeted phishing campaigns. The combination of identity documents and personal details created a high-value dataset for identity fraud and secondary attacks.

The Exfiltration Detection Gap

MGM had invested significantly in perimeter security, endpoint detection, and network monitoring. Despite this investment, the data exfiltration phase of the attack proceeded without triggering automated blocking. This is a common pattern in modern attacks: once attackers obtain legitimate credentials, their activities — including large data transfers — can resemble normal administrative operations. Traditional security tools are designed to detect malicious software and known attack signatures, not to distinguish between authorised and unauthorised data movement by authenticated users. Anti-data exfiltration technology like BlackFog addresses this specific gap by monitoring all outbound data flows at the endpoint level, blocking transfers to unauthorised destinations regardless of what credentials the sender holds.

Lessons for Enterprise Data Protection

The MGM incident demonstrates that identity compromise is the new perimeter breach. Once an attacker holds valid credentials, the only remaining defence against data loss is technology that monitors and controls outbound data movement. Organisations must assume that perimeter defences will eventually be bypassed — whether through social engineering, credential theft, or zero-day exploits — and deploy controls that prevent data from leaving even when the attacker has legitimate access. This "assume breach" posture is the foundation of modern data protection strategy.

• Helpdesk identity verification must include out-of-band confirmation for sensitive operations
• MFA resets should require manager approval and trigger automated monitoring escalation
• Anti-data exfiltration controls must operate independently of user authentication status
• Network segmentation should limit blast radius when a single identity is compromised
• Incident response plans must include playbooks for identity compromise scenarios

Frequently Asked Questions