There is one conversation I recall that I had with a security architect with a hospitality company a couple of months after the MGM cyber attack. He looked exhausted.
They wasn’t frustrated with ransomware itself. He was frustrated by the hard to accept reality the incident exposed a human problem had struck a billion-dollar casino giant at its core.
Not malware sophistication. Not a zero day exploit like those that Hollywood uses.
A phone call.
It is because of that reality that makes many executives feel uneasy in 2026 the MGM’s lesson regarding the impact of Ransomware isn’t about casinos. It’s the vulnerability of modern businesses when identity systems, help desks, third party tools and operational technology are too close.
As an IT administrator, security specialist, cloud provider, or risk manager, the MGM case should definitely interest you as it is a typical example of how attackers take advantage of one thing most organizations still don’t realize is that people under stress are an easy target.
When hotel doors stop working, cybersecurity becomes a business problem
The majority of ransomware conversations remain in the IT vernacular.
Encryption. Lateral movement. Privilege escalation.
The incident at MGM Resorts International prompted executives to rethink their strategies because customers felt the impact immediately.
The intrusions at various MGM Resorts properties were widespread in September 2023, when a group widely believed to be responsible for the social engineering attacks on the group’s members, Scattered Spider or ALPHV, reportedly compromised internal systems across the company. The hotel’s keys were an issue for guests. Digital systems failed. Slot machines malfunctioned. The number of people signing into the hotel was significantly reduced.
This was more than just a technology outage for a hostelry organization.
What it was, was just inaction paralysis.
The cyberattack was likely to cost MGM around $100 million during the quarter, mainly as a result of disruption to its operations and the subsequent decrease in business activity, MGM later stated. I suspect the reputational cost was as much, if not more, than that number did, but it certainly did capture people’s attention. Lack of room access or services dashes guest trust.Guest trust evaporates in a flash if they can’t enter rooms or use services.
The thing that shocked many of the executives that I spoke with afterwards was how much it came into the light about cyber security.
Typically, security flaws remain within dashboards.
Guests to MGM get to know them first-hand.
Why did a giant company struggle so badly?
It’s easy to think that it would be easy for large enterprises to fail once their technology has gone out of style.
This assumption is wrong as far as this event here is concerned.
There were reports of attackers exploiting MGM’s help desk processes by using social engineering. They used to take an indirect approach to the infrastructure, rather than directly attacking it, by exploiting human workflows.They used to use indirect means to penetrate the infrastructure, rather than direct means, such as human workflows.
That detail matters.
There are many instances of businesses spending millions of dollars creating firewalls, but neglecting their own internal support teams’ identities.
I have experienced and seen instances of this first-hand.
Many years ago I helped a mid-sized company and transition their identity systems to a hybrid cloud environment. Investments in endpoint protection and threat monitoring were a strong emphasis of leadership.
Meanwhile, the authentication of help desk was like this:
- Can you confirm employee ID?
- What’s your department?
- Okay, access restored?
Nobody questioned it.
After just one such phishing simulation, the security team realized that it was rather easy for employees to reset credentials.
The tech stack seemed to be pretty well developed. The operational discipline did not take charge of Executives would like to believe that’s not the case in their organization, but it is in many.

The uncomfortable lesson behind how Ransomware Crippled MGM
The paradox is that this is how the war began.The strange thing is that’s how the war started.
Many people think the weakest link in enterprise cybersecurity is outdated software, but it’s not necessarily. It simply means it’s convenient to use.
The majority of systems are optimised for speed.
Fast password resets. Very Fast vendor onboarding. Fast privileged approvals. Ultra Fast troubleshooting.
Each hot key seems innocuous until a hacker is able to combine them.
With MGM, social engineering was reported in the public sphere, playing a large part. This doesn’t necessarily imply that security controls could have failed individually. The attack surface expanded to include human trust mechanisms.Human trust mechanisms became a part of the attack surface.
I believe that’s why it’s frustrating to security leaders, as the solution appears to be a relatively simple solution in contrast to the more sophisticated marketing approach to cybersecurity.
Boards want AI-powered Detection. Security forces demand increased identity check.
Wager which one sounds less thrilling in the Quarterly meetings?
However, the latest Verizon Data Breach Investigations Report shows that credential abuse and social engineering remain two of the most successful methods to breach into an enterprise.
Attackers follow efficiency. So should defenders.
What MGM revealed about enterprise architecture risk
For large enterprises, it’s rare to have a single clean environment. They are messy. Hospitality companies especially.
All of these components are interrelated and intertwined in the context of the hotel system.
The more complex, the larger the blast radius.
Another common error that organizations commit in 2026 is to think that segmentation is there because someone drew a line on an architecture slide.
Chaos is the time that real segregation is tested!
At MGM, disturbances seemed to permeate several aspects of their business which customers were directly reliant on.
This implies that it’s probably an important question that each enterprise should ask:
How much of your business is impacted if your identity is compromised tomorrow?
A lot of executives are not able to give an answer. Inevitably, that uncertainty is hazardous.
This Article Guide Might Helpfull For Your Business: Zero Trust Security Enterprise Implementation Guide
What to do next if you want to avoid becoming the next headline
I don’t like the advice that is general, because a majority of it is recycled. Train employees.
Patch systems. Use MFA. Fine.
What’s an enterprise to do instead during next week, though?
It is here I would begin.
Audit your help desk identity process
Seriously.
Anonymously dial your internal help line. Do some “social engineering”.
I’ve given this exercise to people previously, and they get cruddy results from companies.
It’s for this reason that it works. Should the account recovery be based on predictable information or hasty decisions, this weakness is already detectable by the attackers.
Separate identity from operational systems
Many businesses still rely on centralized identity systems and fail to properly isolate them from other business functions.
- Be direct, Are you having sex?
- What happens if attackers compromise privileged credentials?
- Can they immediately disrupt the operations of customer facing systems?
If this is not a comfortable answer, then redesign the architecture.
Test executive crisis communication
Many organizations fail to consider communication as a key factor when responding to ransomware incidents.
When no one is heard from, customers go into panic mode. Employees panic faster.
In the MGM case, the frustration and confusion only further heightened during the incident when they began to lose their physical experiences which they thought should be working.
Cybersecurity response teams should join the communications team from the beginning of a cybersecurity response plan to ensure clear, accurate, and timely coordination during incidents. Not day five.
Practice partial shutdown scenarios
What normally happens in organizations are simulated outages. That is unrealistic.
Ransomware attacks can be chaotic and disjointed these days.
Payments work. Keys fail. Reservations lag. Customer apps freeze. Practice messy situations. This is more like the reality.

A strange thing happened after the MGM attack
A number of executives got busy focusing more on identity security than simply preventing ransomware.
But, I suppose I am getting ahead of myself, I am genuinely of the opinion that that was a change that was long overdue.
This MGM incident had companies re-think their assumptions on trust.
- Who can reset credentials?
- Who approves access?
- How many systems rely on one privileged account?
- How quickly can attackers move?
I observed that more CISOs started prioritizing on the investments in identity security budgets over expansion of endpoints after 2024.
That’s by no accident. It was a pattern which was recognized.
It would be natural to continue the discussion with a linked article on your site that delves into enterprise identity exposure, discussing some of the identity security pitfalls that enterprises still ignore.
Similarly, an in-depth technical tour of the growing vulnerability to ransomware exposure due to misconfigurations in the cloud would add to the operational conversation.
Why CFOs started paying closer attention
Security teams recognized ransomware as a major threat years ago. Oftentimes, finance leaders weren’t the first to do so. MGM changed that. An impact of nine figures is noticed in no time.
Organizations no longer considered ransomware just an IT expense issue, they now treated it as a business continuity concern. This change has significance for the budgets.
Once executives view cybersecurity as a revenue protection mechanism, the discussion around investing in cybersecurity shifts, significantly.
I’ve been in the meeting where security folks for months have been having to defend investments in access management upgrades.
Then there was one mistake in the public that occurred in their industry. Budget approved. Immediately. Fear is NOT a strategy. However, when visibility becomes a priority, so do priorities change.
The hardest truth nobody likes saying out loud
There is no such thing as 100% protection from ransomware.
It is possible to decrease probability. It is possible to decrease the blast radius. There are things you can do to enhance recovery.
But companies that claim immunity quickly find out that this is not the case. Not all of the organizations are recovering the fastest in 2026 for the flashiest tools.
It is they who practised failure openly. That distinction matters. Ransomware resiliency is a dull subject before and after a ransomware attack.
This Article Might Helpfull For You: Ransomware Protection Tools for Businesses
The more important one is, of course, if companies are finally ready to learn from MGM before customers feel the repercussions.
Author
Talha Qureshi is an enterprise technology analyst and blogger with over a decade of hands-on experience across cybersecurity, cloud infrastructure, B2B SaaS, and enterprise AI. He explores the difference between how companies market enterprise technology and how it actually performs in real organizational environments, highlighting the gap between expectations and reality.











