Skip to main content
Protect Yourself

Learning from the MGM Security Breach 

In the rapidly evolving digital landscape, no entity is immune to the pervasive threat of cyberattacks. The security breach at MGM Resorts highlights the vulnerability of even massive organizations. As we reflect on this incident, several key lessons emerge. These lessons urge us to reassess our approach to cybersecurity as we navigate the complexities of the year 2024.

Learning from the MGM Security Breach

The MGM Breach: A Closer Look 

MGM Resorts, a prominent casino chain with a global footprint, fell victim to a cyberattack that disrupted its operations for several days. The attackers employed sophisticated social engineering techniques, specifically “vishing,” to impersonate a legitimate IT worker on the phone. They were able to call MGM’s IT Help Desk and successfully answer questions based on what they had previously found through OSINT. After asking the help desk for assistance with a password reset, the attackers gained initial entry. This would only spiral further for MGM as the bad actors would then obtain administrator rights, allowing them to deploy ransomware. The aftermath revealed that personal information of some customers, including names, contact details, date of birth, driver’s license number, and other sensitive identification data, had been compromised.

Taking a closer look at this security breach helps us to identify key lessons learned that will aid in bettering our own security posture.

Lessons Learned 

1. Never Underestimate Human Vulnerability:
The MGM breach underscores the reality that even organizations with significant resources can be compromised if attackers exploit human nature. Social engineering, especially vishing, remains a potent tool for cybercriminals. As was the case in this security breach, a well-crafted pretext will not raise any alarms if it seems legitimate enough.

2. Diversify Cybersecurity Training:
While phishing attacks are widely recognized, vishing often gets overlooked in employee training programs. The incident at MGM emphasizes the need for a comprehensive cybersecurity curriculum that addresses a range of attack vectors, including social engineering techniques like vishing. Employees may not be as “on-guard” against the likes of attacks over the phone as they would be to receiving a suspicious email.

3. Heightened Awareness for Personal Cyber Hygiene: Individuals must remain vigilant in protecting their personal information, especially what is shared on public platforms. Social media in itself is not bad, however how much we choose to share on it can be. An attacker could build a profile and impersonate an individual who shares too much, and this is worth remaining vigilant about. Implementing strong, unique passwords and enabling multi-factor authentication also adds an extra layer of protection that may stop an attacker.

Protecting Ourselves in 2024 

1. Employee Training and Awareness: Organizations must prioritize ongoing cybersecurity training for employees at an advanced level. This would include various attack scenarios, including the use of real-world simulated vishing calls as opposed to robo dialers or CBT (Computer Based Training). Awareness campaigns on social engineering tactics like vishing can empower employees to identify and report potential threats.

2. Enhanced Verification Processes: Implementing robust verification processes, especially for critical access points like IT help desks, is crucial. Companies should regularly review and update these processes to stay ahead of evolving cyber threats. Especially in the case of a password reset, extra security protocols should be met such as Multi-Factor Authentication.

3. Individual Online Presence: Personal responsibility in the digital realm is paramount. As mentioned above in the lessons learned, individuals should be cautious about the information they share online. This makes it much more difficult for an attacker to build a profile of the individual and attack them with personalized pretexts (or perhaps impersonate them).

4. Prompt Incident Response and Communication:
In the event of a security breach, organizations must have a well-defined incident response plan. Swift communication with affected parties, along with offering identity protection and credit monitoring services, helps mitigate potential damage and stop an attacker in their tracks.

Why Is Vishing So Effective?

Vishing, also known as voice phishing, leverages the human connection with other humans that no other attack vector can. Through vishing, a bad actor can establish a personal connection with their target. This allows for the attacker to emotionally manipulate their target or create a sense of urgency, fear, and even authority. With the right pretext, an attacker could simply call in and ask for the sensitive information they are looking for once they have built enough rapport or created enough urgency.

Moving Forward

The MGM security breach serves as a stark reminder that cyber threats are constantly evolving. As we advance into 2024, a proactive and adaptive approach to cybersecurity is imperative. By learning from incidents like MGM’s, both organizations and individuals can strengthen their defenses, creating a more resilient digital ecosystem. There are always aspects of our security to improve, so we should never allow ourselves to become overconfident. At Social-Engineer, LLC, we continue to strive in promoting awareness of the tactics bad actors use to deceive unsuspecting victims. Through live vishing simulations, we train our clients’ staff on what to expect from a vishing call and how to counteract a bad actor’s advances. By means of this effective training, we can avoid the stress and devastation that comes from large-scale security breaches.

Written by Josten Peña

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now