In 2023–2024, MGM Resorts suffered a **catastrophic cyber attack** attributed to the **Scattered Spider** hacking group (affiliated with ALPHV/BlackCat ransomware). The breach began with a **social engineering attack** targeting an employee via LinkedIn, leading to credential theft and unauthorized access to MGM’s IT systems. The attackers **encrypted over 100 ESXi hypervisors**, disrupting operations across multiple properties, including slot machines, hotel reservations, and digital key systems. The outage lasted **10 days**, causing **$100M+ in losses** from downtime, recovery, and reputational damage. While MGM refused to pay the ransom, the incident triggered **class-action lawsuits**, regulatory scrutiny, and long-term customer churn. The attack exposed vulnerabilities in **identity management** and third-party access controls, aligning with 2025 trends where **credential theft** and **phishing-resistant MFA gaps** dominate high-impact breaches. The financial and operational fallout underscored the **existential threat** posed by ransomware to large enterprises, particularly in hospitality and gaming sectors.
Source: https://nerdbot.com/2025/11/02/the-true-cost-of-a-data-breach-in-2025/
TPRM report: https://www.rankiteo.com/company/mgm-resorts-international
"id": "mgm3262132110325",
"linkid": "mgm-resorts-international",
"type": "Ransomware",
"date": "6/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Example: 200,000 records',
'industry': ['Healthcare',
'Financial Services',
'Technology',
'Retail'],
'location': ['United States (Highest Cost Region)',
'Global'],
'type': ['Public Companies (SEC-regulated)',
'Healthcare Organizations',
'Financial Services Firms']}],
'attack_vector': ['Credential Theft',
'Phishing',
'Privilege Misuse',
'Social Engineering'],
'customer_advisories': ['Notification Letters',
'Credit Monitoring Services',
'Call Center Support'],
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': 'Example: 200,000',
'personally_identifiable_information': True,
'sensitivity_of_data': ['High (Healthcare/Financial)',
'Moderate (Retail/Tech)'],
'type_of_data_compromised': ['Customer Records',
'PII',
'High-Value Target Data']},
'description': 'In 2025, the global average cost of a data breach declined to '
'$4.44 million USD (down 9% year-over-year), while U.S. '
'breaches averaged $10.22 million USD—a new high. Key drivers '
'include faster detection/containment (mean time trending to '
'~200 days), reduced ransomware payment rates (~23%), and SEC '
'disclosure rules compressing response timelines to 4 business '
'days. Costs stem from direct expenses (IR, legal, fines) and '
'hidden impacts (downtime, churn, premium hikes). Healthcare '
'($7.42M avg) and financial services remain high-risk '
'industries. Prevention ROI emphasizes AI-driven detection, '
'identity-first security (MFA, SSO hardening), and tested '
'response workflows.',
'impact': {'brand_reputation_impact': ['Trust Erosion',
'Higher Cost to Win Back Trust'],
'downtime': {'avg_trend': 'Low 200s of days (identification + '
'containment)',
'example': '30 hours (partial downtime at $25k/hour)'},
'financial_loss': {'example_estimate': '35.55 million USD (200k '
'records)',
'global_avg': '4.44 million USD',
'healthcare_avg': '7.42 million USD',
'per_record_cost': '130–230 USD (planning band)',
'us_avg': '10.22 million USD'},
'identity_theft_risk': ['High (Per-Record Costs Escalate with PII '
'Exposure)'],
'legal_liabilities': ['Class Actions (e.g., MGM, T-Mobile cases)',
'Regulatory Fines',
'SEC Disclosure Costs'],
'operational_impact': ['Outages',
'Slowdowns During Containment/Restore',
'Compliance Program Upgrades'],
'revenue_loss': ['Downtime ($0.75M in example)',
'Customer Churn',
'Higher Customer Acquisition Costs (CAC)']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': ['Phishing',
'Credential Theft',
'Privilege Misuse'],
'high_value_targets': ['Customer Databases',
'Financial Records',
'Healthcare PII']},
'investigation_status': 'Ongoing (Industry-Wide Trends)',
'lessons_learned': ['Faster detection/containment reduces costs significantly '
'(2025’s 9% global decline).',
'Identity controls (MFA, SSO hardening) mitigate most '
'breaches (DBIR 2025).',
'Ransomware recovery costs exceed ransom payments; budget '
'for recovery over paying.',
'SEC rules shorten response windows, increasing '
'legal/operational pressure.',
'Data minimization and retention hygiene reduce '
'per-record costs.'],
'motivation': ['Financial Gain', 'Data Exfiltration', 'Extortion'],
'post_incident_analysis': {'corrective_actions': ['Implement AI-governed '
'detection/automation.',
'Hardening MFA/SSO and '
'session controls.',
'Reduce mean time to '
'identify/contain (target '
'<200 days).',
'Conduct disclosure '
'tabletop exercises for SEC '
'compliance.',
'Refresh security tooling '
'and audit controls '
'post-incident.'],
'root_causes': ['Slow Detection/Escalation (2024’s '
'top cost driver)',
'Weak Identity Controls (80%+ '
'breaches involve credentials per '
'DBIR)',
'Ungoverned AI Systems (Increase '
'Risk Exposure)']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_paid': {'payment_rate': '~23% (2025 low)',
'trend': 'Declining (Fewer Organizations '
'Paying)'}},
'recommendations': ['Invest in AI-driven detection/automation (governed to '
'avoid risk exposure).',
'Prioritize identity-first security (phishing-resistant '
'MFA, session controls).',
'Test response readiness with disclosure tabletop '
'exercises.',
'Treat detection, IR runbooks, and customer '
'communications as capital investments.',
'Adopt data minimization strategies to lower per-record '
'breach costs.'],
'references': [{'source': 'IBM Cost of a Data Breach Report 2025'},
{'source': 'Verizon Data Breach Investigations Report (DBIR) '
'2025'},
{'source': 'Coveware/Chainalysis Ransomware Trend Trackers'}],
'regulatory_compliance': {'legal_actions': ['Class Actions',
'Agency Settlements'],
'regulations_violated': ['SEC Disclosure Rules '
'(4-day window)',
'Data Protection Laws '
'(e.g., GDPR, HIPAA)'],
'regulatory_notifications': ['Mandatory Disclosure '
'to SEC (Public '
'Companies)']},
'response': {'communication_strategy': ['SEC-Mandated Disclosure (4 business '
'days)',
'Customer Notification',
'Call Center Support'],
'containment_measures': ['Network Isolation',
'EDR Uplift',
'AI-Driven Triage'],
'enhanced_monitoring': ['Post-Breach Audits',
'Continuous Threat Detection'],
'incident_response_plan_activated': True,
'recovery_measures': ['Data Review/eDiscovery', 'System Restore'],
'remediation_measures': ['Security Rebuild',
'Audit Controls',
'Tooling Refresh'],
'third_party_assistance': ['IR Retainers',
'Forensics Teams',
'Third-Party Monitoring']},
'stakeholder_advisories': ['SEC-Mandated Disclosures',
'Board Communications',
'Regulatory Reporting'],
'title': '2025 Global Data Breach Cost Trends and Insights',
'type': ['Data Breach', 'Ransomware', 'Regulatory Non-Compliance'],
'vulnerability_exploited': ['Weak Identity Controls',
'Slow Detection Capabilities',
'Ungoverned AI Systems']}