Caesars Entertainment — Scattered Spider extortion

What happened

In late August 2023 Scattered Spider compromised Caesars Entertainment by social-engineering an employee of a third-party IT support vendor that had access to Caesars’ identity management systems. The attackers used that access to reach the Caesars Rewards loyalty programme database — one of the largest such databases in the US hospitality industry — and exfiltrate its contents. Caesars Rewards members whose driving-licence numbers and Social Security numbers were stored in the database had that data stolen.

Caesars disclosed the breach in an SEC 8-K filing on 7 September 2023, the same day as the filing deadline triggered by the company’s assessment of material impact. The disclosure was measured: Caesars confirmed that loyalty-programme data had been taken, acknowledged it had “taken steps to ensure” that the stolen data had been deleted, and did not name a ransom figure or the group responsible. Reporting by the Wall Street Journal and others established that Caesars had paid approximately $15 million — roughly half of an initial $30 million demand — with payment made before the public disclosure.

No operational disruption occurred. Caesars’ hotel, casino, and online gaming systems continued to operate normally throughout. That outcome reflects both the nature of the attack (data theft rather than encryption) and the company’s decision to pay quickly to forestall further action. The contrast with MGM — which was struck by the same group approximately a week later, refused to pay, and suffered ten days of visible operational disruption — became the central case study in post-incident debates about whether paying ransoms “works”.

How it worked

Scattered Spider’s entry point was an outsourced IT support contractor with access to Caesars’ identity management infrastructure. The exact social-engineering pretext used against the contractor has not been publicly disclosed in detail, but the group’s standard methodology — documented across multiple incidents and in the CISA/FBI advisory published in November 2023 — involves phone calls posing as internal IT staff or service desk personnel, requests for MFA resets or credential changes, and use of publicly available employee information from LinkedIn to make the pretext credible.

The critical element here is that the compromised account belonged not to a Caesars employee but to a contractor at a third-party support organisation. That contractor had been granted privileged access to Caesars’ identity systems as part of its support function. The attacker did not need to compromise Caesars directly — they needed to compromise a smaller organisation with access to Caesars, which typically has a less mature security posture, less investment in security awareness training, and less visibility in Caesars’ own monitoring.

With access to the identity layer, the attackers could query and exfiltrate the Caesars Rewards member database. The loyalty programme database is a high-value target: it is large, it contains stable personally identifiable information (Social Security numbers and driving-licence numbers change rarely), and it is centralised. Exfiltration at scale from a database that an attacker already has legitimate-appearing access to is technically straightforward and hard to distinguish from normal query activity without careful behavioural baselining.

The payment decision represents a strategic calculation. By paying approximately $15 million before any public disclosure, Caesars obtained — or attempted to obtain — assurance that the data would be deleted and not published. Whether the data was actually deleted cannot be independently verified. Security researchers and law enforcement have consistently cautioned that ransom payments do not guarantee data destruction, and that data exfiltrated by criminal groups frequently reappears in subsequent operations regardless of payment.

Timeline

• Late August 2023 — Scattered Spider socially engineers a contractor at Caesars’ third-party IT support vendor, obtaining access to Caesars’ identity management systems.
• Late August–early September 2023 — Attackers exfiltrate Caesars Rewards loyalty database. Demand of approximately $30 million made to Caesars.
• ~$15 million payment — Caesars reportedly pays roughly half the demand; attackers provide assurances data will be deleted.
• 7 September 2023 — Caesars files an 8-K with the SEC disclosing a cybersecurity incident affecting its loyalty programme member data, including driving-licence and Social Security numbers. This is the first public disclosure.
• 11 September 2023 — MGM Resorts, struck by the same group using the same initial-access technique, goes public with its own incident. The two breaches become a paired news story.
• October 2023 — Caesars begins mailing breach notification letters to affected loyalty members.
• November 2023 — CISA and FBI publish joint advisory AA23-320A on Scattered Spider TTPs, partly informed by the MGM and Caesars incidents.
• November 2024 — DOJ indicts five alleged Scattered Spider members; charges relate to the broader campaign including the MGM and Caesars operations.

What defenders should learn

Caesars illustrates the supply-chain entry point in identity security. The attacker did not need to phish a Caesars employee. They needed to phish someone at a smaller company that Caesars had granted privileged access to. Third-party vendors with access to identity systems, HR systems, or customer databases represent an extension of the organisation’s own security perimeter, and they should be treated accordingly.

The practical implication is that vendor access should be subject to the same identity-verification standards as internal staff. Any vendor account that can query or administer identity systems should require phishing-resistant MFA. Access should be scoped to the minimum necessary function, time-limited where possible, and reviewed regularly. Any vendor’s security posture — particularly their security-awareness training and MFA policies for staff with elevated access — should be part of the vendor-assessment and ongoing vendor-management process.

The payment calculus deserves direct examination. Caesars paid and avoided operational disruption. MGM did not pay and absorbed ten days of visible casino-floor outage and an estimated $100 million in losses. On a purely transactional basis, payment appears to have “worked” for Caesars in the immediate term. Security practitioners, FBI guidance, and CISA advisories consistently advise against payment for several reasons that the Caesars transaction does not disprove but does not validate either: payment funds future operations, creates an incentive to re-target organisations known to pay, and provides no guarantee of data destruction. Whether Caesars’ data was actually deleted, or whether it will surface elsewhere, remains unknown.

The Caesars incident also highlights the gap between regulatory disclosure timelines and customer notification. The 8-K was filed on 7 September, satisfying SEC requirements. Customer notification letters took until October. In the interval, affected members — many of whom had Social Security numbers and driving-licence data in the stolen database — had no opportunity to take protective action such as placing credit freezes. Closing that gap is a public policy question as much as an organisational one, but organisations can choose to notify customers faster than the minimum legal timeline requires.