Another entertainment empire, as well as three other unnamed clients of an identity management firm, are now in the hot spot.

Following up on the MGM Resorts ransomware attack by the ALPHV group and the ongoing “negotiations” by the resort group with the attackers, word is out that social engineering was the key approach used to gain a foothold in the system.

A member of BlackCat had apparently used the identity of an MGM employee found easily on LinkedIn to contact the firm’s help desk requesting for a password change. This went without a hitch, and simple as that — the attackers were in.

With US$52m dollars (and more) estimated currently as the amount of lost revenues, the breach is expected to negatively impact the gambling and hospitality group’s credit rating. So far, MGM has not yet publicly acknowledged receiving a ransom demand, they are collaborating with the FBI and cybersecurity experts to investigate the breach and restore affected systems.

In a similar incident in the industry, Caesars Entertainment has also suffered a ransomware attack. Caesars had attributed the attack to social engineering — in the case involving an external IT vendor. Among other data, the entertainment group’s loyalty program database was stolen. Unconfirmed sources believe the same attackers (ALPHV) were involved. In this case, the firm had apparently paid at least half the demanded ransom (to the tune of tens of millions of US dollars), but had failed to get its data returned. However, their spokesperson has claimed that they “have not seen any evidence that the data has been further shared, published, or otherwise misused.”

Nevertheless, the group’s ransom payment goes against strict regulatory policies implemented by the US government’s Office of Foreign Assets Control (OFAC), which render ransomware payments a potential sanctions risk under US law.

Meanwhile, the chief security officer of the identity management company Okta, David Bradbury, has said that five of his firm’s clients, including MGM and Caesars, had been attacked since August 2023.