A $33 Billion Company Was Taken Down by a 10-Minute Phone Call. Here Is What That Means for Your Hospitality Business.
THE SHORT ANSWER
In September 2023, Scattered Spider looked up an MGM Resorts employee on LinkedIn, called the IT help desk pretending to be that person, and talked their way into the entire network in under ten minutes. The attack cost MGM $100 million. It did not start with malware, a zero-day exploit, or any technical sophistication. It started with a help desk employee who received a convincing phone call and followed standard procedure. High turnover, limited security training, and broad system access make hospitality staff the most consistently targeted vector in the industry. Here is how that attack works and what actually closes the gap.
IT Accuracy | Managed IT Services, Los Angeles | Date: April 2026 | 7 min read
AT A GLANCE
AT A GLANCE
The most dangerous person in your building from a cybersecurity standpoint is probably not a hacker. It is a front desk employee hired three weeks ago who has never been told what a social engineering attack looks like, has full access to your POS system and reservation platform, and will try to be helpful when someone calls with an urgent request. In Los Angeles, where the hospitality industry runs on high staff turnover and fast-paced service culture, that exposure is the rule rather than the exception.
The MGM Attack: What Actually Happened
The details of the September 2023 MGM Resorts breach are worth understanding precisely because the method was so mundane. Scattered Spider, a loosely organized group of attackers many of whom are native English speakers, used LinkedIn to identify a current MGM Resorts employee. They gathered enough publicly available information about that person to sound credible. Then they called MGM’s IT help desk, claimed to be the employee, and said they were locked out of their account.
The help desk did what help desk employees are trained to do. They were helpful. They reset the credentials. Within ten minutes, Scattered Spider had access to MGM’s network. They spent the next several days moving laterally through the system, escalating privileges, exfiltrating data, and positioning ransomware. On September 11, MGM took its systems offline. Slot machines went dark. Digital room keys stopped working. The reservation system went down. The MGM app became inaccessible across more than 30 properties.
The disruption lasted approximately ten days. The total cost came to around $100 million in lost revenue, recovery expenses, and legal fees. MGM also committed to investing up to $40 million in additional cybersecurity measures after the incident. The company saw a staggering rise in cyber insurance costs following the breach.
All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation.
vx-underground, threat intelligence account, September 13, 2023
While MGM refused to pay, Caesars Entertainment, hit by the same group days earlier, paid approximately $15 million in ransom to keep its loyalty database off the internet. The original demand had been $30 million. Two of the largest hospitality companies in the world, both taken down within weeks of each other by the same method: a phone call to a help desk.
Why Hospitality Is the Ideal Target for Social Engineering
Social engineering works better in hospitality than in almost any other industry, and the reasons are structural rather than incidental. They are built into how the industry operates. For Los Angeles hospitality businesses in particular — spanning hotels, restaurants, catering, and entertainment venues across a sprawling, competitive market — the combination of high volume, rapid staff turnover, and guest-first culture creates a uniquely wide attack surface.
Hospitality runs on helpfulness. The entire culture of the industry is oriented toward saying yes, solving problems quickly, and never making a guest or a caller feel dismissed. That instinct, which is exactly what makes excellent hospitality, is also what makes social engineering so effective. An attacker calling a front desk or help desk does not need to be technically sophisticated. They need to sound like they belong, create mild urgency, and give the employee a way to be helpful. The industry trains people to find that way.
High turnover compounds the problem at scale. The hospitality sector consistently has among the highest employee turnover rates of any industry. In a restaurant group or hotel operation, a significant portion of the staff at any given time may have been in their role for less than 90 days. Security awareness, if it exists at all, tends to be absorbed informally over time through observation rather than delivered through structured onboarding. New employees do not know what a social engineering attempt sounds like because nobody has told them.
Access controls are rarely matched to tenure or role. A front desk employee hired last month may have the same system access as someone who has been in the role for three years. A server who was just added to the POS system has the same credential footprint as the manager. When that new employee gets a convincing phone call, their access is the attack surface.
Your Front Desk Is Not MGM. The Attack Still Works.
The response most small hospitality operators have to the MGM story is that it is a Las Vegas casino with a massive IT infrastructure and a national profile. That it is a different category of target. This logic is understandable and wrong.
The social engineering technique that took down MGM scales down to a 40-room boutique hotel, a restaurant group, or a catering operation with no modifications. The attacker does not need to know anything about your specific systems before the call. They need a name, a role, and a plausible reason to need help. LinkedIn, your website’s team page, and a quick search of public records will provide all of that within minutes. The rest is a phone call.
What changes at smaller operations is not the vulnerability. It is the consequences. MGM had the resources to absorb a $100 million loss, rebuild, and continue operating. A three-location restaurant group or an independent hotel property does not have that buffer. An attack that disrupts your POS and reservation system during peak season, forces you to operate manually, and potentially exposes guest payment data is not a recoverable inconvenience at that scale. It is an existential event. Backup and disaster recovery built for hospitality operations is what separates a recoverable incident from a permanent one.
What to Tell New Hires on Day One
Most hospitality businesses have no cybersecurity component in their onboarding. New hires learn the POS system, the reservation platform, the opening and closing procedures, and the dress code. They do not learn what to do when someone calls claiming to be from corporate IT and asking them to reset a password or confirm account details. They have no framework for recognizing that the request is unusual, no escalation path for handling it, and no one to call.
This is fixable without a major investment in technology or time. The core concepts that stop social engineering attacks can be communicated in under 20 minutes during onboarding and reinforced through a short written reference. The specific things every new hire in a hospitality operation should know from day one are not complex. They require no technical background. They require clarity about what the rules are and why they exist.
No legitimate internal IT request will ever ask you to do this verbally. If someone calls claiming to be from IT and needs access restored urgently, take their name and number, tell them you will have someone call back, and immediately notify your manager.
Attackers create time pressure because pressure reduces verification. If someone is telling you this needs to happen right now or there will be serious consequences, that urgency itself is the warning sign. Slow down. Verify. Escalate.
If someone emails you claiming to be the owner and asks for a system action, call the owner on a number you already have. Do not reply to the email. Do not use a phone number provided in the message. Use a contact you already know is legitimate.
The most important cultural message in hospitality security is that an employee who stops, verifies, and escalates before completing an unusual request is doing exactly the right thing. The culture of helpfulness that defines hospitality service should not extend to bypassing security steps for callers or senders you cannot verify.
Every location should have a single, named person or channel for reporting anything that feels wrong. Not “tell a manager.” One specific name or number, written down, known by every employee. Ambiguity in the escalation path means nothing gets reported.
The Technical Layer That Limits Damage When Someone Gets It Wrong
Staff training reduces the probability of a successful social engineering attack. It does not eliminate it. The second layer of protection is a technical environment configured to limit what an attacker can do even if they do get a credential. That is where the gap between general IT support and hospitality-focused managed IT becomes consequential.
The Scattered Spider attack worked at MGM because a single reset credential provided access to systems far beyond what the impersonated employee needed for their daily role. That is a privilege access problem. A properly segmented network with role-based access controls means that a compromised front desk credential opens a front desk system, not the reservation platform, not the payment processor, and not the back-office network. Network segmentation and access control configuration are core components of what IT Accuracy implements for hospitality clients.
Guest Wi-Fi and internal operational networks should be completely isolated from each other. A guest connecting to your Wi-Fi should have no path, even an indirect one, to the systems your staff uses. In many smaller hospitality operations, this segmentation has never been implemented because nobody thought to ask about it when the network was set up.
Multi-factor authentication on every account that accesses sensitive systems means that even a successfully social-engineered credential reset does not hand over immediate access. The attacker still needs a physical device they do not have. MFA does not prevent the call from happening. It closes the door the call was trying to open. A cybersecurity assessment for your hospitality operation will surface every account that lacks MFA enforcement and every network segment that is not properly isolated.
The layered defense principle
Training reduces the likelihood that an attack succeeds at the human layer. Network segmentation limits the blast radius if it does. MFA prevents a stolen credential from becoming immediate system access. Backup and monitoring ensure that even a successful intrusion does not become a permanent one. No single control stops everything. All of them together make your operation a significantly harder target than the one next door.
The Scenario Your Operation Should Run Before It Becomes Real
The single most useful thing a hospitality operator can do after reading this post is run a tabletop exercise. Not a technical simulation. A conversation. Gather your front-of-house managers and your most recently hired staff members and walk through the following scenario out loud.
If your team cannot navigate that scenario correctly, no amount of firewall configuration will protect you. If they can, the technical layer IT Accuracy builds around them ensures that even the attempts that get through do not become catastrophic. Both layers are necessary. Neither one alone is sufficient. For Los Angeles hospitality businesses, working with an IT provider that understands hospitality is what closes the gap before it becomes a headline. Schedule a hospitality IT assessment to find out where your operation currently stands on both.
Hospitality IT security topic cluster
IT Accuracy
Managed IT Services — Los Angeles, CA
IT Accuracy provides cybersecurity and security awareness training, managed network services, cloud solutions, and help desk support for businesses across Los Angeles and nationwide.