Social Engineeringcritical

Caesars Entertainment: Pay $15M or We Publish Your Loyalty Members' Data

Scattered Spider called Caesars Entertainment's IT helpdesk, impersonated an employee, and reset MFA to gain access. Caesars paid $15 million ransom to prevent publication of 65 million loyalty programme members' data.

Caesars Entertainment / Scattered Spider·2023·2 min read

Attack Chain

  1. 1
    Spear-phishing email
  2. 2
    Employee clicks link
  3. 3
    Credential harvested
  4. 4
    Access broker sells access
  5. 5
    Ransomware deployed
  6. 6
    Backups encrypted
  7. 7
    $15M ransom paid

Background

Caesars Entertainment operates over 50 casinos and hotels including Caesars Palace, Harrah's, and Horseshoe. The attack occurred weeks before the more publicised MGM Resorts incident by the same group and illustrates two very different responses to identical attacks.

The Attack

Scattered Spider (UNC3944) used vishing — calling Caesars' IT helpdesk and impersonating a legitimate employee — to convince helpdesk staff to reset MFA credentials. With access to a corporate account, they moved through the network to the Caesars loyalty programme database containing names, Social Security numbers, driver's license numbers, and personal details of an estimated 65 million members. The group encrypted systems and threatened to publish the data unless paid.

Response

Caesars negotiated and paid approximately $15 million (half of the $30 million demanded). The group deleted their copy of the data — or so they claimed. Caesars disclosed the breach in a September 7, 2023 SEC filing, one week before MGM's disclosure, noting that personal information of loyalty members had been acquired.

Outcome

Caesars paid $15 million and avoided the operational disruption that MGM experienced. The contrast between Caesars (paid, minimal disruption) and MGM (refused, massive disruption) became a case study in ransomware response strategy — and neither outcome was satisfactory.

Key Takeaways

  1. IT helpdesk staff must verify identity through a second channel before resetting MFA credentials
  2. Paying ransom does not guarantee data deletion — assume data is permanently compromised
  3. Loyalty programme databases with SSNs and driver's licence data are extremely high-value exfiltration targets
  4. The Caesars-vs-MGM contrast shows that both paying and not paying have significant costs — prevention is the only winning strategy
Scattered Spidervishinghelpdesk attackloyalty programmeMFA bypass

More in Social Engineering

2020high

The Twitter Bitcoin Hack

2 min readSocial Engineering
2023critical

MGM Resorts Social Engineering Attack

2 min readSocial Engineering
2022critical

Lapsus$: Teenagers Bribe Telecom Employees to Breach Microsoft, Nvidia, and Uber

2 min readSocial Engineering