Presented by the Privacy and Data Security Practice Group

The MGM Data Breach: Hackers Leverage LinkedIn Data to Pull Off Sophisticated Social Engineering Attack

By
David J. Shannon

On September 11, 2023, MGM announced that it had been the victim of a sophisticated data breach attack. Reportedly, the hacking group Scattered Spider was able to shut down and paralyze a large part of MGM Resorts International’s computer systems. MGM operates over 30 hotel and casino gaming venues around the world. Caesar’s Entertainment has also allegedly been the victim of a similar attack in recent weeks and was forced to pay a ransom.

Scattered Spider is a relatively new hacking group that uses social engineering to trick employees to unwittingly provide login credentials or passwords to allow Scattered Spider to bypass security systems. Various reports indicate that Scattered Spider used the information from an MGM employee’s LinkedIn page to allow the hacking group to impersonate the individual and call MGM’s IT help desk. The help desk then reset passwords for the individual, which allowed Scattered Spider to gain access to the systems and then move laterally to deploy their sophisticated attack.  

This incident once again highlights that no matter how great a company’s security system is, human error can always lead to devastating losses for the business. MGM has reported losing tens of millions of dollars a day as a result of this attack and may be forced to pay a significant ransom. All businesses and their insurance carriers should use this incident to reinforce to their clients and employees that never-ending vigilance is needed to stop these types of hacking attacks. Insurers should be consistently questioning their insureds about what programs, policies, and procedures are being used to educate employees about social engineering tactics and events.   
 

 

Legal Updates for Privacy and Data Security, September 15, 2023, has been prepared for our readers by Marshall Dennehey. It is solely intended to provide information on recent legal developments and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. We welcome the opportunity to provide such legal assistance as you require on this and other subjects. If you receive the alerts in error, please send a note tamontemuro@mdwcg.com. ATTORNEY ADVERTISING pursuant to New York RPC 7.1. © 2023 Marshall Dennehey. All Rights Reserved.