MGM Resorts: $100M Loss from a 10-Minute Phone Call

In September 2023, the threat group Scattered Spider identified an MGM Resorts employee via LinkedIn, impersonated them during a 10-minute phone call to the IT help desk, and obtained credentials that provided administrator-level access to MGM's Okta and Azure environments.

From there, ALPHV/BlackCat ransomware was deployed across MGM's infrastructure. The result: over $100 million in losses, 10 days of operational disruption across casinos and hotels, and a complete shutdown of digital systems including slot machines, room key cards, and reservation systems.

This incident is remarkable not for the sophistication of the attack, but for its simplicity. MGM had invested heavily in identity security: Okta for SSO, Azure AD for directory services, MFA for user authentication. None of it mattered. The attacker bypassed every technical control by calling the help desk and asking for a password reset.

The help desk IS part of your identity architecture. It is the human API to your identity provider. If an attacker can call a phone number, provide a name and employee ID found on LinkedIn, and receive administrator credentials, then your identity architecture has a critical design flaw.

Identity verification at the service desk (voice authentication, out-of-band verification, manager approval for privileged resets) must be treated with the same rigor as technical authentication controls. Otherwise, your multi-million-dollar identity platform has a phone-call-shaped hole in it.