Recent cyberattacks on Caesars Entertainment [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] and MGM Resorts have raised concerns about the computer defenses of the casino and hospitality industry in Las Vegas.


Caesars Entertainment, the largest casino owner in the world with properties in multiple states and Canada [3], reported a cyberattack to federal regulators [3]. The attack, which occurred on September 7, was attributed to a social engineering attack on an outsourced IT support vendor [1] [2] [5] [7]. While the company stated that its operations were not disrupted, it acknowledged that it may have incurred expenses related to the incident [1]. The hackers were able to access the loyalty program database [1], compromising personal information such as driver’s license numbers and Social Security numbers [1]. Caesars Entertainment has taken steps to ensure the stolen data is deleted [1], but cannot guarantee this outcome [1] [4] [7] [10]. Loyalty program customers were offered credit monitoring and identity theft protection [3], and there was no evidence that the intruder obtained member passwords or bank account information [3].

MGM Resorts [2] [3] [4] [5] [6] [7] [10], another casino company [3] [9], also reported a cyberattack that led to the shutdown of computer systems at its properties [3]. This affected reservations and casino floors, causing issues with credit card transactions and accessing hotel rooms [3]. MGM Resorts has a large number of loyalty rewards members and operates properties in Las Vegas [3], China [3], and Macau [3].

The cyberattacks on Caesars Entertainment and MGM Resorts have highlighted the vulnerability of the casino and hospitality industry in Las Vegas. These incidents are part of a global trend of increasing cyberattacks [7], with attacks up 156% in the second quarter of 2023 [7]. The cybercrime group responsible for these attacks is known for being effective social engineers and has targeted other companies such as Cloudflare, Okta [9], and Twilio [9]. The FBI is currently investigating the cybersecurity incident at MGM Resorts [4], and authorities advise against paying the ransom demanded by the hackers [10].

Caesars Entertainment disclosed the incident in a U.S. Securities and Exchange Commission filing [9], acknowledging it as a material event [9]. The company reportedly paid a ransom of $15 million to prevent the release of the stolen customer data. Initially, the cybercrime group demanded a $30 million ransom [9], but Caesars agreed to pay half that amount [9]. The company does not expect the ransom payment to have a material effect on its bottom line [9]. The Securities and Exchange Commission has introduced a new cybersecurity disclosure rule that requires companies to report cyberattacks and their impact on the business [9].


The cyberattacks on Caesars Entertainment and MGM Resorts have had significant impacts on their operations and customers. The compromised personal information and disruption of computer systems have raised concerns about the vulnerability of the casino and hospitality industry in Las Vegas. The increasing trend of cyberattacks globally highlights the need for improved cybersecurity measures. The FBI’s investigation and the introduction of new cybersecurity disclosure rules by the Securities and Exchange Commission demonstrate the seriousness of these incidents and the importance of addressing cybersecurity threats. It is crucial for companies in the industry to strengthen their computer defenses and take proactive measures to mitigate the risks posed by cybercriminals.