How was MGM Resorts hacked? A cyberattack that lasted for days

In September 2023, MGM Resorts, one of the largest casino and hospitality operators worldwide, suffered a significant cyberattack that crippled its operations for nearly a week. The incident disrupted some of the most iconic properties on the Las Vegas Strip, such as the Bellagio, the Cosmopolitan, and the Mandalay Bay, along with other MGM-owned resorts across the United States.

During the breach, guests faced a range of issues, including malfunctioning slot machines, ATMs, digital key cards, electronic payment systems, and online reservations. In certain instances, MGM reportedly reverted to pen-and-paper methods to process transactions. As a gesture of goodwill, the company waived change and cancellation fees for travelers unable to utilize their original bookings.

In 2025, the fallout from the MGM cyberattack took a decisive turn with the launch of a comprehensive class-action settlement payout program, designed to offer financial redress to those impacted by the data breaches in 2019 and 2023. This settlement not only addresses the severe personal data compromises—from sensitive identifiers to broader personal details—but also reflects an industry-wide push toward greater cybersecurity accountability, ensuring that affected individuals receive the support and compensation necessary to rebuild trust and safeguard their futures.

But who was behind this attack and how did they manage to breach MGM’s systems? Here’s what we know so far.

Who cyber attacked MGM?

Shortly after the incident, various cybersecurity researchers began attributing the breach to a hacking group known as Scattered Spider, thought to be a subgroup of the ALPHV ransomware gang (also referred to as BlackCat). ALPHV has gained notoriety since 2020 for deploying sophisticated malware to encrypt corporate data and demand hefty ransoms for its release.

Scattered Spider also claimed responsibility for a near-simultaneous hack on Caesars Entertainment, another Las Vegas casino giant. Subsequent reporting suggested Caesars may have paid roughly half of a $30 million ransom to protect the confidentiality of data stolen from its loyalty program database 111. This database reportedly contained the personal information of millions of customers.

How did Scattered Spider hack MGM?

While comprehensive technical details did not fully emerge until well into 2024, investigators pieced together how Scattered Spider may have gained initial access. Based on findings from Ars Technica 222, the group specialized in vishing (voice phishing), whereby attackers impersonated IT staff or vendors over the phone. By targeting unwitting employees, they harvested legitimate login credentials—then escalated privileges to access critical systems.

New evidence surfaced in late 2023 showing that Scattered Spider used multi-factor authentication (MFA) fatigue tactics, repeatedly prompting targeted employees for MFA approvals until one was mistakenly granted. Once inside, the attackers exfiltrated sensitive data and deployed ransomware that encrypted portions of MGM’s IT infrastructure, leading to days of operational disruption.

Additional resources: Ars Technica – A phone call to helpdesk was likely all it took to hack MGM

Has MGM been hacked before?

Yes. MGM Resorts suffered a data breach in 2019 that exposed personal information for up to 10.6 million customers, including high-profile individuals. The stolen data—names, phone numbers, email addresses, and birth dates—later appeared on online forums for anyone to download 333. Following the 2019 breach, MGM claimed to have bolstered its cybersecurity infrastructure; however, the 2023 incident highlighted that social engineering remains a potent threat, even for organizations with reinforced digital defenses.

Press Release: MGM Resorts 2019 Data Breach Update (Archived)

What was the fallout of the MGM Resorts hack?

Though the initial disruption in September 2023 lasted under a week, the financial and reputational consequences have extended well into 2025. Key impacts include:

• Revenue and operational losses: MGM reported a $100 million hit to its third-quarter 2023 results as a direct consequence of systems forced offline 444.
• Regulatory scrutiny: The Federal Bureau of Investigation (FBI) launched a formal inquiry, and the Nevada Gaming Control Board investigated to ensure MGM complied with state-mandated cyber incident reporting.
• Customer trust: MGM faced critical brand damage, with negative sentiment across social media and some guests hesitant to trust MGM’s online booking and loyalty program platforms.
• Class action lawsuits: By early 2024, several groups of plaintiffs filed class action suits claiming MGM’s security measures were inadequate. As of 2025, some of these cases remain active, while others have settled confidentially.
• Strengthened cybersecurity: In late 2024, MGM committed to an additional $50 million investment in endpoint protection, cloud security, and employee training to mitigate future social engineering threats.

Learn more: MGM Resorts Investor Relations

How were guests affected by the MGM Resorts hack?

Guests encountered a variety of inconveniences in the immediate aftermath:

• Slot machines and ATMs malfunctioning or offline
• Digital key cards failing to unlock hotel rooms
• Electronic payment systems rejecting credit cards
• Online reservations inaccessible or stuck in pending status
• TV service and phone lines down in certain hotel rooms
• Sportsbooks temporarily shuttered
• Long lines at check-in desks, restaurants, and bars
• Cash-only transactions or manual credit card imprinting in some locations

Customer reaction was mixed—some criticized MGM for not having robust contingency plans, while others commended staff members who worked diligently under difficult circumstances. By October 2023, MGM had largely restored normalcy, though sporadic system glitches reportedly persisted through early 2024.

Related coverage: CNN Business – MGM Resorts recovering after cybersecurity issue
BBC – MGM Resorts says data breach exposed personal information

Was any customer info stolen in the 2023 MGM Resorts data hack?

Following an internal investigation completed in Q1 2024, MGM Resorts publicly confirmed that customer data was accessed, potentially including:

• Name
• Contact information
• Gender
• Date of birth
• Driver’s license number

For a smaller subset of guests, Social Security numbers and passport details were also compromised 555. MGM continued to maintain in its 2024 updates that there was no evidence the data had been widely exploited for identity theft or account fraud. Nonetheless, customers were encouraged to use credit monitoring and fraud alert services. As part of several legal settlements, MGM offered free identity protection subscriptions to impacted individuals.

See also: MGM Customer Support: Data Security FAQs
Equifax Identity Theft Protection Services

What happened to MGM Resorts shares after the attack?

MGM’s stock (NYSE:MGMNYSE: MGMNYSE:MGM) saw an immediate reaction when news of the hack broke. Shares dropped about 4.1% in two trading days, closing at $41.99 on September 12, 2023, down from $43.79 on September 8. Although the stock rebounded slightly by mid-September, it remained under pressure throughout Q4 2023 as analysts weighed potential legal liabilities and brand damage.

However, travel and tourism demand rebounded strongly in 2024, boosted by continued post-pandemic recovery. As of January 2025, MGM’s share price is hovering around the mid-$50 range, supported by robust hospitality and gaming revenues and a general upswing in the Las Vegas travel market.

Was there any previous cyberattack in Las Vegas?

Yes. In February 2020, the City of Las Vegas reported a cyberattack on its municipal network. Prompt detection and rapid remediation measures prevented any large-scale data leak or extended shutdown. The city credited robust incident response protocols for averting more severe disruptions. Moreover, Caesars Entertainment separately confirmed an incident in September 2023 (around the same time as MGM’s) that compromised loyalty program data for millions of customers.

These events underscored Las Vegas’s status as a prime target for cybercriminals, given the concentration of casinos, hotels, and high-value financial transactions. In 2024, Nevada lawmakers began contemplating stricter cybersecurity regulations for the state’s gaming industry, but no final legislative package had been enacted as of early 2025.

Further reading: City of Las Vegas Cyber Incident (2020) Official Statement

In an era of high-profile cyberattacks like those faced by MGM Resorts and other global organizations, Inszone stands out as an industry leader in Cyber Liability coverage. We offer robust strategies to help businesses withstand data breaches, ransomware demands, and other cyber threats. Protect your company’s critical assets and reputation—contact Inszone now to learn how their customizable Cyber Liability solutions can fortify your digital defenses.

2025 Class-Action Settlement and Payouts

If you stayed at an MGM Resorts International property in recent years, you may be eligible for a portion of a $45 million class-action settlement related to data breaches that occurred in July 2019 and September 2023 [source]. These breaches reportedly exposed personal information such as names, addresses, phone numbers, Social Security numbers, passport numbers, and driver’s license details [source].

Who Is Eligible?

Anyone in the U.S. who:

• Had their information compromised in the breaches, and
• Was sent a notice from MGM regarding the data breaches

Notices started going out in February 2025 and will continue through April 2025 [source]. If you got one, you should have received a unique ID and PIN to submit your claim.

How to File a Claim

Online: Visit MGMSettlement.com and enter your unique ID and PIN.
Mail: Print and fill out a claim form from the website, then submit it by mail.
Important: The claim-filing deadline is June 3, 2025. Mailed claims must be postmarked on or before that date. A final settlement approval hearing is scheduled for June 18, 2025 [source].

Potential Settlement Payouts

The settlement offers three tiers of flat payments, depending on what type of information was exposed [source]:

• Tier 1 ($75): Social Security number or military ID compromised
• Tier 2 ($50): Passport number or driver’s license compromised
• Tier 3 ($20): Name, address, and/or date of birth compromised

All claimants also get one year of financial account monitoring. If you incurred out-of-pocket expenses (e.g., identity theft losses, credit freeze fees), you can submit documentation (credit card statements, receipts, etc.) for possible additional reimbursement, up to $15,000.

List of MGM Resorts Properties

The settlement covers all MGM Resorts locations, including:

• Las Vegas: Bellagio, ARIA, The Cosmopolitan, MGM Grand, Mandalay Bay, Luxor, Excalibur, and others
• Other U.S. locations: MGM Springfield, MGM National Harbor, Beau Rivage, Borgata, and more [source]

Need More Information?

Official Settlement Website: https://mgmsettlement.com
MGM Resorts Statement on 2023 Breach: CNN Coverage
If you believe you’re affected, make sure to review your notice or contact the Settlement Administrator for any questions about eligibility, filing deadlines, or payment details.