In September 2023, Caesars Entertainment, operator of over 50 major casino and hotel brands including Harrah’s, Bally’s, Horseshoe, and Paris Las Vegas, quietly paid a ransom of approximately $15 million to the ALPHV/BlackCat-affiliated group Scattered Spider following a social engineering attack on its IT helpdesk.
The breach occurred in the same month as the MGM Resorts attack by the same threat actor group, demonstrating a systematic campaign against the US casino industry using identical techniques. Caesars Entertainment chose to pay; MGM chose to resist. Both outcomes were costly. The entry mechanism was the same: a phone call to an IT helpdesk that convinced a support representative to reset credentials for an Okta account.
What Happened
Scattered Spider targeted Caesars Entertainment’s IT service desk with a social engineering call, impersonating a Caesars employee and requesting a credential reset. Upon obtaining the reset credentials, the group used them to access Caesars’ Okta single sign-on environment, then moved laterally through the organisation’s systems.
Unlike the MGM attack, which resulted in visible operational disruption when MGM chose to shut down systems — the Caesars breach was initially invisible to the public. Caesars chose to negotiate and pay a ransom. The breach became public knowledge through Caesars’ SEC Form 8-K filing on 7 September 2023 and subsequent coverage by the Wall Street Journal and other media.
The timeline:
- Late August 2023: Scattered Spider contacts Caesars IT helpdesk, social engineers a credential reset
- Late August 2023: Lateral movement and data exfiltration through Okta-connected systems
- September 2023: Caesars Entertainment negotiates with threat actors; pays approximately $15 million (reported as half of the initial $30 million demand)
- September 7, 2023: Caesars files SEC Form 8-K disclosing the breach
- September 2023: Wall Street Journal reports the breach details and ransom payment
- September 14, 2023: MGM Resorts breach begins — same threat actor group, same technique
- Late 2023: Caesars discloses data breach notification — loyalty programme data compromised for tens of millions of members
The data confirmed stolen includes loyalty programme data for a significant portion of Caesars Rewards members. Exposed data includes Social Security numbers and driver’s licence numbers for affected loyalty members — highly sensitive information for identity theft and fraud purposes.
How It Happened
The Caesars breach used the same social engineering playbook as MGM: call the IT helpdesk, impersonate an employee, request a credential reset, use the resulting access to reach the Okta SSO environment.
The specific circumstances confirm what the MGM analysis also demonstrates: IT helpdesks that rely on knowledge-based verification are a systematic vulnerability in enterprise identity security. Scattered Spider targeted two of the world’s largest casino operators within the same month using the same technique, demonstrating that the approach scales and repeats across organisations that have not hardened their helpdesk verification processes.
The Okta NHI surface is again the high-value target: once Scattered Spider had access to Caesars’ Okta environment, they could move through the SSO estate using legitimate credentials, accessing loyalty programme databases and other systems that single sign-on makes reachable from a single authenticated session.
The loyalty programme data is particularly sensitive for Caesars specifically. Caesars Rewards is one of the largest casino loyalty programmes in the world. Membership data includes highly personal information about gambling habits and financial activity, combined with personally identifiable information including Social Security numbers — a combination that represents significant identity theft and fraud risk for affected members.
What This Means for NHI Governance
The Caesars and MGM breaches together represent a documented, systematic campaign against the US casino industry’s IT helpdesk identity reset processes. The twin breaches in September 2023 should be read as a definitive case study in the risk of knowledge-based helpdesk verification at scale.
From an NHI perspective, both breaches demonstrate the same point: the identity provider, Okta in both cases, is a critical NHI management surface. Its security posture is only as strong as the weakest identity reset path. If a phone call can bypass Okta authentication, then Okta’s security guarantees apply only to attackers who are not willing to make a phone call.
The Caesars outcome also introduces a consideration about the ransomware economics of paying versus resisting. Caesars paid approximately $15 million and avoided operational disruption. MGM resisted and incurred operational costs exceeding $100 million plus data exposure. Neither outcome vindicates the choice, Caesars still suffered data theft and regulatory exposure, and paying a ransom does not guarantee data destruction. What the comparison illustrates is that the prevention cost, hardening the IT helpdesk verification process that was the common entry point, would have been a fraction of either outcome.
Recommendations
- Audit all helpdesk identity reset procedures immediately. Any process that allows an account reset based on a phone call and knowledge-based verification is a Scattered Spider-style attack vector. Replace knowledge-based verification with identity-binding verification for any action that grants or resets access to corporate systems.
- Treat Okta administrative access as ultra-high-privilege. The Okta admin console can reset every identity in the environment. It requires the same protection as domain administrator access: phishing-resistant MFA, dedicated access workstations, and real-time monitoring of all administrative actions.
- Implement a formal ransom payment decision framework before an incident occurs. The Caesars vs MGM comparison shows that paying and resisting both have significant costs. Organisations should have a pre-defined decision framework that assesses data theft risk, operational disruption risk, and regulatory exposure, before the moment of crisis.
- Audit loyalty programme database access controls. Loyalty programme data, combining PII with transaction history and sensitive personal information, represents a high-value target for both identity theft and social engineering. Access should be tightly scoped, monitored, and subject to rigorous access review.
- Review all SSO-connected application access scopes. Every application connected to Okta represents a blast radius point if Okta is compromised. Audit what data each SSO-connected application can access and ensure that access is scoped to what is genuinely required.
How NHI Mgmt Group Can Help
Securing Non-Human Identities (NHIs) including AI Agents, is becoming increasingly crucial as attackers discover and target service accounts, API keys, tokens, secrets, and OAuth credentials during breaches. These NHIs often hold extensive permissions that can be exploited, making their security a priority for any organisation focused on protecting their digital assets.
Take our NHI Foundation Level Training Course, the most comprehensive in the industry, that will empower you and your organisation with the knowledge needed to manage and secure these non-human identities effectively.
Final Thoughts
The Caesars Entertainment breach is notable for two reasons. First, it demonstrates that the Scattered Spider IT helpdesk social engineering technique is not a one-off creative attack, it is a repeatable playbook that was executed successfully against two of the world’s largest casino operators within the same month. Second, it shows that paying a ransom does not close the breach. Caesars paid $15 million and still had to disclose data theft affecting tens of millions of loyalty programme members.
The prevention cost, adequately verifying identity at the helpdesk before granting credential resets, would have prevented both outcomes. That is the governance lesson: the weakest link in your identity security posture is the process by which credentials can be reset, not the strength of the credentials themselves.
