The Problem Was Not the Firewall
The most expensive part of the MGM Resorts incident may not be the malware. It may be the phone call.
MGM says it identified a cybersecurity issue affecting certain U.S. systems and shut down systems to protect data. The disruption rippled outward fast: reservations, room access, casino floors, payment processing, ATMs, and key cards were all implicated. In other words, the attack did not stay neatly inside some server closet where only the SOC team has to care about it. It hit the actual business.
That is the uncomfortable lesson. Technical controls matter, but they do not matter in isolation. If an attacker can persuade the right person to reset the wrong credential, they do not need to “break” the environment in the cinematic sense. They just walk around the locked door and use the employee entrance.
Social Engineering Is Not Sophisticated. It Is Effective.
There is a temptation to describe these incidents as highly sophisticated, as if that somehow makes them less embarrassing. Sometimes the tooling is sophisticated. The entry point often is not.
The reported MGM intrusion path is the same old story dressed up in 2023 clothing: identify the target, impersonate a legitimate user, pressure the help desk, and exploit a workflow designed to be helpful. That is the whole trick. No zero-day fireworks. No dramatic hacker movie lighting. Just human trust, urgency, and a support process that assumed the caller on the other end was who they claimed to be.
Why does this keep working?
Because most organizations still treat identity recovery as an administrative task rather than a privileged security event. A password reset feels low stakes until it is not. A multifactor reset feels routine until it becomes the key that opens the whole house.
And yes, the word social in social engineering is doing a lot of work here. This is not about cryptography failing. It is about confidence, authority, and process discipline failing in the exact places attackers love most.
MFA Is Not a Magic Spell
People love to say, “We have MFA.” Fine. So did a lot of organizations that still got bent into a pretzel by a help-desk call.
The lesson is not that MFA is useless. It is that MFA can be bypassed if the recovery workflow is weak enough. If an attacker can convince support staff to enroll a new factor, reset an existing one, or replace a device trust relationship, then MFA has been reduced to a box-checking exercise.
That is the part that should make every CISO and IT leader sit up straight: security architecture is only as strong as the exception handling around it. Attackers do not always go for the main gate. They go for the side door marked “temporary access,” “urgent request,” or “verified by phone.”
That is where controls become theater.
The Help Desk Is a Privileged System
We spend a lot of time talking about firewalls, endpoint protection, cloud posture, and log aggregation. All good. Useful. Necessary.
But the help desk is a privileged system too.
It can reset identities, alter access, and override friction that exists for a reason. If the help desk can be talked into granting access to an admin, a finance user, or an IT support account, then the help desk is not a back-office service function. It is a control plane.
That means the real questions are not, “Do we have a password policy?” The real questions are:
- Can a caller impersonate an executive or support technician and get a reset?
- Are password resets and MFA resets treated differently?
- Is identity proofing strong enough to survive urgency, embarrassment, and a convincing story?
- Do support staff have permission to improvise when a request sounds plausible?
If the answer to any of those is “maybe,” then you do not have a technical problem. You have a governance problem.
And governance is just a polite word for “the thing that breaks before the board meeting.”
What Should Have Been Tested?
If you want to avoid becoming the next headline, test the workflows attackers actually abuse.
A decent security posture assessment should not stop at scanning for open ports and expired certificates. It should examine identity recovery, privileged access, help-desk verification, and escalation procedures. The human workflows matter because attackers know they matter.
A solid program should include:
- Penetration testing that includes vishing and help-desk abuse scenarios
- Employee security training that teaches staff how to spot urgency, authority, and impersonation tactics
- Identity recovery steps that require out-of-band verification, not just a convincing script
- Separate controls for password resets, MFA resets, and privileged account recovery
- Logging and alerting on unusual recovery activity, especially for high-value users
This is not about making life miserable for your employees. It is about making life slightly more miserable for the person on the phone who is trying to steal your crown jewels.
There is a balance here, of course. Make the process so hard that legitimate staff cannot get help, and they will invent shadow processes. Make it so easy that anyone with a story can get through, and the attackers will thank you for your hospitality.
The Bigger Lesson for Operators
MGM is a hospitality and entertainment company, but the lesson is not limited to casinos. Any organization with valuable data, privileged users, a help desk, and a human support layer is exposed to the same class of risk.
That includes hospitals, manufacturers, SaaS vendors, lenders, and anyone else who thinks “we are not really a target.” That phrase is usually uttered shortly before an attacker uses a very ordinary tactic to cause a very expensive day.
The irony is that many companies invest heavily in controls that defend against the complicated attacks and underinvest in the boring ones. But boring attacks are the ones that work. They are cheap, repeatable, and easier to scale than people want to admit.
So no, the answer is not more security theater. It is not another slide deck. It is not a morale poster about phishing.
The answer is discipline: better verification, tighter recovery workflows, better training, and testing that assumes attackers will use the easiest route available.
Because they will.
And if the easiest route is a phone call to the help desk, then the perimeter was never the perimeter. It was just the lobby.
Related posts
Delve and the 494 Fake SOC 2 Reports: What the Compliance Industry Should Learn
A Y Combinator-backed compliance startup allegedly fabricated 494 SOC 2 reports with auditor conclusions pre-written before clients submitted any evidence.
Read moreFive Supply Chain Attacks in Twelve Days: March 2026 Broke Open Source Trust
In twelve days, attackers compromised Trivy, Checkmarx, LiteLLM, Telnyx, and Axios — and the supply chain security model most organizations rely on did not survive.
Read moreThree More States, Three More Privacy Laws: 2026 Compliance Starts Now
Indiana, Kentucky, and Rhode Island all went live on January 1, 2026, which means privacy compliance just got a little less optional.
Read more