In September 2023, MGM Resorts—one of the world’s largest hotel and casino groups—fell victim to a cyberattack that disrupted operations for nearly a week. The incident affected iconic properties including the Bellagio, Cosmopolitan, and Mandalay Bay, with slot machines, ATMs, payment systems, and online reservations all being compromised.
The investigation identified the Scattered Spider group, associated with the ALPHV (BlackCat) ransomware, as responsible. The attackers employed vishing (voice phishing) and MFA (multi-factor authentication) fatigue tactics to gain access and encrypt systems. This incident added to a previous data breach in 2019, which had already exposed the personal information of 10.6 million customers.
Despite publicly announced improvements in cybersecurity, the consequences of the 2023 attack extended into 2025, resulting in financial losses exceeding $100 million. In response, MGM pledged to invest an additional $50 million in digital security. However, affected customers filed a class action lawsuit, holding the company accountable for data exposure and insufficient protection. The lawsuit culminated in a $45 million legal settlement to financially compensate those impacted by the breaches in 2019 and 2023.
This case highlights the imperative of consistent investment in robust cybersecurity practices—blending advanced technology with effective policies and a company-wide culture focused on data protection. Ongoing staff awareness and training are crucial to identifying and neutralising threats before they cause significant damage. By integrating security into the strategic core of the business, organisations not only reduce the likelihood of incidents but also strengthen their capacity to respond and adapt to increasingly sophisticated cyberattacks.
Learn more about this type of fraud and how to protect yourself here.
Read more real-life cases in our Real-Life Cyberattack Cases section.