Request a Free Consultation

What MGM Casinos’ Data Breach Means to You

Request a Free Consultation
Posted on October 11, 2023

Facts of The Attack

In the beginning of September, MGM was exposed to a cyberattack, forcing major system shutdowns in their casinos across Las Vegas and their other resorts worldwide.

MGM has resorts in Las Vegas, Atlantic City, and Detroit in the US. It also has property in China and Japan. This breach has impacted Atlantic City’s Borgata, Caesars, Tropicana, and Harrah’s Resort casinos.

According to Vox, “A group known as Scattered Spider is believed to be responsible for the MGM breach, and it reportedly used ransomware made by ALPHV, or BlackCat, a ransomware-as-a-service operation. Scattered Spider specializes in social engineering, where attackers manipulate victims into performing certain actions by impersonating people or organizations the victim has a relationship with.”

The attackers reportedly used a tactic called vishing to MGM’s systems. “Chief people hacker” for IBM, Stephanie Carruthers explains how  vishing can be used to gain access to a target. ““From the attacker’s point of view, vishing is easy,” she told Vox. “With phishing, I have to set up infrastructure, I have to craft an email and do all these extra technical things. But with vishing … it’s picking up the phone and calling someone and asking for a password reset. It’s pretty simple.”

This data breach and cyberattack is estimated to cost the casino giant roughly $8.4 million a day, bringing them to about $100 million in losses.

Just one week after MGM announced their breach, Caesars Entertainment joined them in its announcement that they were also hit by a cyberattack.

What Was Stolen?

MGM claims that most of the data stolen was “phonebook information” like names, phone numbers, and email addresses, all of which are already publicly available. However, this breach has exposed some sensitive information, including the driver’s license, Social Security numbers, and other private information of loyalty rewards members, former guests, and others affiliated with MGM.  The company did not reveal just how many people that includes, but says it is providing free credit monitoring services to them, which has become the standard response from companies who can’t secure their customers’ data.

How this Affected the Casino Operations

At MGM casinos, digital keys, ATMs, sports gambling kiosks, and certain slot machines were unavailable during the attack. People have taken to social media to complain about canceled reservations, and not being able to check in, make card payments, or log in to their MGM accounts. One customer said he had to leave the MGM Grand in order to find cash to buy food. Impacted casinos had to become as manual as possible to maintain some level of operation, including writing manual receipts and having cash bars.

A report from PlayNJ states that there were no major disruptions to the three Caesars casinos. According to Reuters, “The hacks have cast fresh spotlight on ransomware attacks – cyber intrusions that affect hundreds of companies every year, from healthcare providers to telecom firms. MGM and Caesars lost market value as stock prices fell, and MGM is yet to recover from various operations disrupted at the hotels and gaming venues it owns from Las Vegas to Macau.”

What to Do If Your Data Was Compromised

Despite the tens of millions of dollars these casinos bring in a day, this attack shows us that even massive casino chains are vulnerable to cyber-attacks. It is important to be mindful of where and with whom you share your personal data, and be sure to check your accounts regularly for fraud or identity theft.

If your data has been exposed to the recent cyberattacks on MGM and Caesars, please contact our firm to learn more about how we can help. Our New Jersey data breach lawyers are well-versed in technology, as he is the founder of, a leading Web 3 and emerging tech firm. In today’s landscape, our data is our most important asset, according to Grungo, which is why he leverages that expertise to take on companies that fail to protect your data.