Social engineered cyberattack identified as cause of August data breach by Caesars Entertainment
In the realm of cybersecurity, two major incidents have caught the attention of the industry: the data breach at Caesars Entertainment and the cyberattack on MGM Resorts, both occurring in August.
On August 18, a social-engineering attack was launched on an outsourced IT support vendor of Caesars Entertainment, leading to unauthorized access on August 23. The breach was discovered by Caesars on September 7, revealing that the customer loyalty database, which includes Social Security numbers and drivers license numbers for members, had been compromised. The attackers, believed to be the Scattered Spider threat group, are known for using voice-phishing techniques to trick IT support or call center workers into bypassing multifactor authentication. Fortunately, no evidence of payment card or bank account data being accessed was found.
Simultaneously, MGM Resorts disclosed a cyberattack on the same day, with similar methods used by the same threat group. The company expects a $100 million financial hit from the attack.
A report released by SecureWorks on Thursday sheds light on the evolving nature of ransomware attacks. The report reveals that the median dwell time for ransomware incidents has dropped significantly, now under a day, compared to 4.5 days just 12 months ago. This shift is attributed to ransomware groups focusing on quick in-and-out activities, reducing their chances of detection but also the potential ransoms they can charge.
The drop in dwell time for ransomware incidents, as shown in the SecureWorks report, suggests that actors are focusing on getting in and out quickly to reduce the chances of detection and the amount of damage they can cause. Chris Yule, director of threat research at SecureWorks' Counter Threat Unit, stated via email that this trend indicates more ransomware actors are trying to get in and out as quickly as possible.
However, it's important to note that while the typical dwell time lies between about one week and three weeks, with many attacks detected only after activation, some threat actors remain inside networks for several months before striking. This evolution in ransomware tactics over time reflects differing attacker goals, targets, and operational sophistication.
The SecureWorks report also indicates that this reduction in dwell time may be a response to increased security measures or improved detection methods. Despite these efforts, multiple class action lawsuits have been filed against MGM Resorts and Caesars Entertainment by customers claiming negligence and unjust enrichment.
As the landscape of cyberattacks continues to evolve, it's crucial for businesses to stay vigilant and adapt their security measures accordingly. The Caesars Entertainment data breach raises questions about the length of time hackers were inside the company's systems before discovery or revelation in a ransomware attack, underscoring the need for continuous monitoring and rapid response.
[1] 2025 M-Trends report [3] Another 2025 study [5] Observations from 2025 on "Silent Ransom"
- The data breach at Caesars Entertainment in August, which exposed sensitive information like Social Security numbers and drivers license numbers, highlighted the need for continuous monitoring and rapid response in cybersecurity.
- Ransomware groups, such as the Scattered Spider threat group, have shown an increasing focus on quick in-and-out attacks to evade detection and minimize potential ransoms, as suggested by the SecureWorks report.
- In light of the evolving nature of ransomware attacks, general-news outlets and crime-and-justice media have been covering the reduction in dwell time for these attacks and its potential implications for cybersecurity.
- Despite improvements in technology and cybersecurity measures, both Caesars Entertainment and MGM Resorts have faced legal consequences due to data breaches, with customers filing class action lawsuits alleging negligence and unjust enrichment.
