Why were the standard identity verification questions (date of birth, last 4 of SSN) insufficient to detect this attack?

The attackers had access to employee data from MGM's 2019 data breach, which included this personal information.

What social engineering tactic did 'Bob' use most effectively to pressure Alice into processing the MFA reset quickly?

He created time urgency by claiming he had an important VP meeting in 20 minutes and would be in trouble if he missed it.

According to the new MGM security protocols implemented after the breach, what should Alice have done before resetting Bob's MFA?

Called back the employee's registered phone number, waited 30 minutes, required manager approval, and checked HR for vacation status.

MGM Resorts Security Breach

Experience the real 2023 MGM Resorts cyberattack from the perspective of an IT helpdesk technician. Learn how sophisticated social engineering led to a $100 million breach, and discover the security practices that could have prevented it. This exercise is based on actual events that compromised one of America's largest casino operators.

What You'll Learn

Recognize sophisticated vishing (voice phishing) attack techniques
Understand why knowledge-based authentication is insufficient
Identify social engineering manipulation tactics
Apply proper verification procedures for high-risk requests
Appreciate the catastrophic scale of social engineering consequences

Training Steps

Introduction: A Busy Monday at MGM IT Support

You are Alice Thompson, a Level 2 IT Support Specialist at MGM Resorts' corporate helpdesk in Las Vegas. It's Monday, September 11, 2023, and you've just started your shift. The morning has been hectic - the usual password resets, VPN issues, and access requests that come with the start of a new week. Your team supports over 48,000 employees across MGM's properties worldwide. Today feels like any other Monday, with your ticket queue already showing 15 open requests. You've been with MGM for two years and pride yourself on your customer service - helping employees get back to work quickly is your top priority.
Checking Your Ticket Queue

Your ticket queue is full this morning - 15 open requests waiting for your attention. Most are routine: password resets, VPN connection issues, and access requests. You need to log into the support portal to start working through them. You've been handling these requests efficiently all morning. Your performance metrics reward quick resolution times, and you take pride in helping employees get back to work as fast as possible.
An Incoming Call

At 10:23 AM, your desk phone rings. The caller ID shows it's an internal extension - 4429. This is completely normal; employees often call the helpdesk directly when they can't access the ticketing system themselves. You're about to answer what seems like a routine support call. The caller will sound stressed but professional - exactly like dozens of other employees you help every week.
The Phone Call Begins

You answer professionally and hear a young man's voice on the other end. He sounds genuinely stressed but polite. His English is perfect - clear American accent, no hesitation, using the same internal terminology your regular callers use. He introduces himself as Bob Richardson from the Bellagio operations team and explains he's locked out of his accounts with an important VP meeting in 20 minutes. When you ask for his employee ID, he admits he doesn't have it memorized and left his badge in his car, asking if you can look him up by name instead. This is a common request. Many employees don't memorize their IDs and forget their badges. Nothing about this call raises any immediate red flags.
Looking Up the Employee Record

Following standard protocol, you need to verify Bob's identity by looking up his employee record in the system. He provided his full name: Robert Richardson, and said he works in guest services operations at the Bellagio. You'll search the employee database to confirm he's a legitimate MGM employee before proceeding with any account changes. This is a routine security step you perform dozens of times per day.
Verifying Bob's Identity

The system shows Robert Richardson, employee ID MG-47832, hired in May 2020 as a Guest Services Manager at Bellagio. Everything checks out perfectly. Now you need to verify his identity using the standard security questions. Bob explains his MFA issue - his phone updated yesterday and corrupted the Authenticator app, so he can't receive login codes. This is a common problem you've resolved many times before. Bob provides his date of birth and the last four digits of his SSN without hesitation. He even mentions his manager Linda Chen (someone you've helped before) and references an internal project about the new check-in system rollout. He sounds frustrated but professional, explaining how urgent this is because of his upcoming VP meeting.
Cross-Checking the Information

You check Bob's information against what's displayed in the employee portal. Date of birth, SSN, manager's name and department match perfectly. Everything Bob told you is correct. He knows internal projects, references real people, and his frustration sounds genuine. He's providing all the right information without you having to ask twice. There are no obvious red flags that would make you suspicious. This appears to be a legitimate employee who needs help getting back to work before an important meeting.
The MFA Reset Request

You explain the standard options to Bob: you can reset his MFA, but he'll need to re-enroll his device. Alternatively, you could send a temporary access code to his registered email or phone number. Bob explains his predicament: his phone number changed when he got the new SIM card during the update, and he can't access his email because that also requires the same MFA he's locked out of. He asks if you can simply reset the MFA so he can re-enroll right now with his phone ready. This is within your authority to do. You've made this kind of reset hundreds of times before. The system shows he's a legitimate employee with verified information. Your performance metrics reward quick resolution times, and Bob clearly has a legitimate business need.
Making the Decision

You've made your decision. Bob has provided that he's a real employee by providing a lot of personal details and provided a reasonable explanation. You've performed this exact type of MFA reset hundreds of times before without incident. Bob sounds stressed about a legitimate business need - an upcoming meeting with the VP in just a few minutes. You're here to help employees get back to work quickly. There's no reason to deny this request or escalate it to your supervisor. Everything checks out, and Bob is waiting on the line, ready to re-enroll his authentication app immediately.
Accessing Account Settings

You navigate to Bob's employee profile in the portal. The page shows his basic details, employment history, and current status. To perform the MFA reset, you need to access his account settings first. You can see his profile confirms the information he provided: Guest Services Manager at Bellagio, hired in May 2020. Everything matches what Bob told you on the phone.

Knowledge Check Questions

This training includes a 7-question quiz to test your understanding of MGM Resort Breach Case Study threats and defenses.

Why were the standard identity verification questions (date of birth, last 4 of SSN) insufficient to detect this attack?
What social engineering tactic did 'Bob' use most effectively to pressure Alice into processing the MFA reset quickly?
According to the new MGM security protocols implemented after the breach, what should Alice have done before resetting Bob's MFA?
What was the ultimate financial and operational impact of this 10-minute phone call on MGM Resorts?
Why did MGM choose NOT to pay the ransom demanded by the Scattered Spider attackers?