Cyber Attacks on Casinos: Scattered Spider, MGM and Caesars Cases (2023–2025)

The gambling industry has always been a prime target for cybercriminals due to its large cash flows, valuable personal data, and complex digital infrastructures. Between 2023 and 2025, high-profile cyber incidents involving the hacking group Scattered Spider have shaken the security foundations of major casino operators such as MGM Resorts International and Caesars Entertainment. These cases highlight not only the evolving nature of cyber threats but also the urgent need for robust security measures and incident response strategies.

Scattered Spider and Its Modus Operandi

Scattered Spider, also known by other aliases in the cybersecurity community, is a sophisticated hacking group believed to specialise in social engineering and phishing attacks. The group typically targets corporate employees by posing as trusted IT staff, tricking them into revealing credentials or granting remote access. Once inside a network, the attackers use advanced tools to escalate privileges and move laterally, gaining control over critical systems.

Investigations into their methods revealed a strong emphasis on exploiting human error. They would contact helpdesk teams, convincingly impersonating legitimate staff members, to reset multi-factor authentication tokens. This allowed them to bypass even well-established security protocols. Their operations are marked by speed, coordination, and precise targeting of high-value data repositories.

Beyond the technical breaches, Scattered Spider’s strategy often involves deploying ransomware or threatening to leak sensitive information unless a ransom is paid. These tactics put enormous pressure on victims, both financially and reputationally, often forcing them into rapid decision-making under stress.

The Rise of the Group in the Casino Sector

The group’s emergence as a key player in targeting the casino industry coincided with the sector’s rapid post-pandemic digital expansion. With online gaming, digital payment systems, and remote work becoming more prevalent, attack surfaces grew significantly. Casinos, once focused heavily on physical security, found themselves facing a new era of digital vulnerability.

By 2023, Scattered Spider had already been linked to several breaches in different industries, but its focus shifted sharply towards entertainment and gambling companies, where the financial stakes and brand reputations are exceptionally high. The group demonstrated a clear understanding of operational bottlenecks, using downtime in digital systems as leverage for ransom demands.

Security experts believe that the group operates with a well-funded infrastructure, possibly with connections to other ransomware collectives. This enables them to deploy advanced tactics quickly, making them a formidable threat to any organisation unprepared for a coordinated cyber assault.

MGM Resorts: The 2023 Breach

In September 2023, MGM Resorts International suffered a major cyber attack attributed to Scattered Spider, which disrupted operations across its properties in Las Vegas and beyond. The attack led to the shutdown of hotel booking systems, digital key cards, slot machines, and payment processing in certain areas. Guests reported long delays at check-in desks and issues with accessing their rooms.

Reports indicate that the breach started with a targeted social engineering campaign against MGM’s IT support. The attackers allegedly gained administrative access, allowing them to encrypt critical systems and demand a ransom. MGM chose not to pay, instead focusing on restoring operations from backups, but the process took over a week and resulted in millions of dollars in lost revenue.

The incident became a wake-up call for the industry, illustrating how a breach could paralyse both digital and physical aspects of casino operations. It also prompted regulatory bodies to review the cybersecurity resilience of large hospitality and gaming companies.

Lessons from the MGM Case

The MGM case underscored the importance of employee training in recognising social engineering tactics. Even well-secured systems can be compromised if human trust is exploited effectively. Regular phishing simulations, strict authentication protocols, and continuous monitoring of access logs emerged as recommended measures.

Additionally, the attack highlighted the value of having segmented network architectures. By separating critical systems from guest-facing networks, organisations can limit the spread of malware during an intrusion. MGM’s incident response plan, while robust in some aspects, revealed the challenges of coordinating recovery across a large and complex corporate structure.

Finally, the public nature of the disruption served as a reminder that reputational damage can be as costly as direct financial losses. Maintaining customer trust during and after a breach requires transparent communication and visible action.

Caesars Entertainment: The 2023 Data Breach

Only weeks before the MGM attack, Caesars Entertainment faced its own cybersecurity crisis. The company disclosed that attackers had gained access to its loyalty programme database, potentially compromising sensitive information such as driver’s licence and Social Security numbers of members. Unlike MGM, Caesars reportedly chose to pay the attackers to prevent the public release of the stolen data.

The breach was again linked to Scattered Spider, which allegedly used similar social engineering techniques to bypass security controls. While the operational impact on Caesars was less visible than the MGM case, the potential long-term damage to customer trust was significant, especially given the sensitivity of the stolen information.

This case sparked debate in the cybersecurity community about the ethics and effectiveness of paying ransoms. While payment can sometimes prevent immediate damage, it risks encouraging further attacks by signalling a willingness to comply with demands.

Industry and Regulatory Reactions

Following the Caesars breach, several U.S. state regulators began discussions on mandating stricter cybersecurity standards for gambling operators. This included requirements for regular penetration testing, mandatory reporting of breaches within a fixed timeframe, and stronger identity verification processes for internal systems.

Industry associations also began sharing threat intelligence more actively, fostering collaboration between competing companies to defend against shared threats. Such cooperation is increasingly seen as vital in combating organised cybercrime groups with global reach and resources.

For Caesars, the incident prompted a significant investment in cybersecurity training and technology, with a particular focus on preventing social engineering attacks through multi-layered authentication and real-time threat monitoring.