The Vegas Vishing Hack that Caused Chaos

Written By Kristen Hillman

It seems tech hacks and scams are becoming common news, so much that we don’t pay attention anymore.  What needs to be alarming about our culture becoming desensitized to tech hacks, is that more and more of personal identity and MONEY is accessible online. 

The real story will probably never be known, because it’s embarrassing for the business, and the hackers want to keep their “process” close.  But, what we do know is that hackers are smart, much smarter than the big corporations that we blindly trust.  

What happened? 

Since no one is actually telling all the details, this is what we think happened. And this is a VERY high level summary.    


In September 2023, a phone call to tech support shut down an entire business, casino, and caused major chaos.  Major. When I heard that a group of hackers had attempted to take $30M from MGM  after successfully hacking their systems,  I imagined an Oceans 11 situation. And it probably was.

What we do know is that a hacker called into the IT help desk posing as an employee said they were accidentally locked out of their account and needed a reset password. This is Vishing, a hack that begins with a voice call. When the real employee received an email about the new password, thankfully they immediately notified IT. But it was too late, the hackers were already in the system.

Let’s take a moment to remember that the casino world is very proud of their security. Again, Oceans 11. Can you tell it’s one of my favorite movies?

“‘A former MGM employee who was familiar with the company’s cybersecurity policies…said that to obtain a password reset, employees would only have to disclose basic information about themselves–their name, employee identification number and date of birth–details that would be trivial to obtain for a criminal hacking gang.’” - Andrew Martin, Ryan Gallagher, and Katrina Manson–Bloomberg, Sep 15, 2023

Hours later, the MGM’s tech department began to notice unusual activity and someone ‘sniffing around’ passwords, they began to shut down systems, including email,  to hopefully prevent access for possible hackers.  But, abruptly shutting down systems means chaos for hotel and casino employees and guests. Think about this..  Restaurants computers down, hotel tech (room doors, front desk, elevators, security), and most of all casinos computers all down.  Guests couldn’t cash out winnings - pretty sure that caused chaos.


This went on for DAYS because MGM refused to pay the ransom (Side note - Caesars was hacked a week earlier and paid a $15M ransom to ensure customer data was not leaked). After 10 days of consistent computer outages, MGM finally announced all systems were back up and running. What I’ve read is that this is not true, and 3 weeks after the initial hack they were still struggling to protect data and get the business running again.

Unfortunately, because they refused to pay the $30M ransom and it took weeks to get complete control over their systems, customer and employee data was hacked, including: names, driver’s license numbers, dates of birth, and for a “limited number of customers,” social security numbers and passport numbers.

Now what?
MGM is still in damage control.  They are estimating over $100M in revenue losses over the incident.  Employees are furious.  Customers are furious and now have a lack of trust.  And now… cue up the lawsuits and increased cyber security insurance costs. 

Why does this matter?

I personally feel this entire incident brings up an ethical conversation for all businesses. You have intimate employee and client data that you need to protect. And, by MGM refusing to  pay the ransom they didn’t protect that intimate data of the people they need to protect the most. BUT…. are we then concluding that to protect people you always give hackers and thieves what they want? Because that could get out of control QUICKLY. The FBI advises companies not to pay these ransoms. Nearly 30% of victims opted to pay them in the fourth quarter last year, down from 72% four years earlier, according to ransomware negotiator Coveware. The average ransom was nearly $569,000. I don’t have the answer, but what I can do is make sure my business is intentional about protecting data. 

What can we learn?

Let’s start with the simple basic steps. Protect the data you have.

For all your personal and business online accounts/software:

  • Implement multi-factor authentication for all software

  • Explore password system options (at Viticula we use Last Pass)

  • Limit the number of administrative users on all systems (bank, paypal, stripe, crm, payroll..)

  • Use tougher authentication for higher sensitive data 

  • Pay attention to the emails of unauthorized sign ins and password changes!


If your business contains any client passwords, make sure you implement all the above, but also purchase cyber security insurance and document your data security processes.  Viticula isn’t a large business, but we are extremely careful with any data we have.  And, we have insurance just in case all our processes aren’t enough.  

There’s a lot of chatter about recession, fear, pulling back, waiting it out, etc. There are changes happening in the service based business landscape, without a doubt. 👉🏼 I challenge you to be proactive on how you and your business will ma
✈️ Southwest Airlines is unarguably one of the most successful and profitable airlines in the United States. For much of its 50-year history, Southwest Airlines has been one of the most profitable airlines in the world. From 1973 to 2019, the compa
‼️ BONUS OFFER CLOSES TONIGHT ‼️ Plan to Profit was built and created for you to be able to plan 2023 with ✨confidence✨. I’ve taken my custom process for Signature CFO clients and made it available for you and your team. You start by walkin
Ever wondered what it's like to have a financial expert look at your numbers with you, explain what they mean, and build out a strategy to work towards your goals? 🤔 Well, that's exactly what I LOVE to do and that's what you get FOR FREE as a bonus
Kristen Hillman
Previous

A messy story of the Hayley Paige and JLM legal nightmare
Next

The Rise and Fall of WeWork: A Modern Business Saga