~$100MMGM Resorts total impact — September 2023
$15MCaesars Entertainment ransom paid — same month
500M+Marriott/Starwood guest records over 4-year breach
#1Scattered Spider’s publicly named primary target sector

In September 2023, one of the world’s most sophisticated threat actors deployed a nation-state-level attack against one of the world’s most recognizable hospitality brands. The attack vector was a phone call.

Scattered Spider (also tracked as UNC3944, Starfraud, and 0ktapus) didn’t write a zero-day exploit or compromise a firewall. They looked up an MGM Resorts employee on LinkedIn, found the IT helpdesk number, and called. When the agent picked up, they claimed to be that employee, explained they were locked out, and asked for an MFA reset. The agent complied. Within minutes, Scattered Spider had credentials. Within hours, they had deployed ALPHV/BlackCat ransomware across MGM’s network. Slot machines went dark. Hotel room keys stopped working. Reservations became manual paper processes. The ten-day operational outage cost MGM approximately $100 million.

Three weeks later, the same group targeted Caesars Entertainment. Caesars paid $15 million to prevent their data from being published. Both incidents filed SEC 8-K disclosures within days of each other — two of the first major hospitality incidents reported under the SEC’s new cybersecurity disclosure rules.

The hospitality sector is the #1 publicly named Scattered Spider target sector. This article documents seven incidents in detail — MGM, Caesars, Marriott/Starwood, IHG, Omni Hotels, Motel One, and a franchise-level POS breach — with the verified facts, attack vectors, business impact, and “what a trained team would have caught” for each.

The Scattered Spider Playbook: Why Hospitality Is the Primary Target

Before examining the cases, it’s worth understanding why hospitality is disproportionately targeted by social engineering-focused threat actors like Scattered Spider.

Hospitality properties have three structural characteristics that make them ideal social engineering targets:

1. High-turnover, service-oriented culture. Hospitality staff are trained to be helpful, to resolve problems quickly, and to avoid confrontational interactions with guests or colleagues. An employee who asks too many questions or refuses a service request is seen as creating friction. Attackers exploit this cultural norm: an unhelpful helpdesk agent is a bad employee; a helpful one who resets MFA without adequate verification is an attack vector.

2. Distributed IT environments with centralized helpdesks. Large hotel chains operate thousands of properties, often with different IT systems, but typically with centralized IT helpdesk support. This means a single helpdesk team handles MFA resets, credential issues, and access problems for employees across dozens or hundreds of properties. The helpdesk team knows many employees only by name and job title — exactly the information available on LinkedIn. This creates an identity verification gap that Scattered Spider exploits systematically.

3. High-value data and operational leverage. Hotels hold payment card data for every guest, loyalty program data worth millions in accumulated points, passport information for international guests, and control over room access systems, reservation platforms, and point-of-sale systems. Ransomware on a hotel PMS system doesn’t just encrypt files — it shuts down check-in, hotel key systems, and room service ordering simultaneously. The operational pressure to restore services creates immediate payment incentive.

Scattered Spider understood all three of these dynamics and built their tactics around them. The result was the two largest hospitality cyber incidents in U.S. history occurring within three weeks of each other.

Case 1: MGM Resorts International — September 2023

Incident Summary

On September 10, 2023, MGM Resorts International began experiencing what would become the most disruptive ransomware attack in U.S. hospitality history. By the evening of September 11, slot machines across MGM’s Las Vegas properties were offline. Hotel room keys stopped working. The MGM Rewards loyalty website went dark. Guests checking in were directed to manual paper processes. ATMs stopped functioning on MGM properties.

The attack was carried out by Scattered Spider (UNC3944), which deployed ALPHV/BlackCat ransomware after gaining initial access via helpdesk social engineering. The operational outage lasted approximately 10 days across MGM’s Las Vegas portfolio, including the Bellagio, MGM Grand, Mandalay Bay, Park MGM, New York-New York, Excalibur, Luxor, and the MGM National Harbor in Maryland.

Attacker TTPs

Phase 1 — OSINT (Open-Source Intelligence Collection): Scattered Spider began by identifying an MGM employee using LinkedIn. The group specifically targets IT and helpdesk staff because they have the access and authority needed for the next phase. According to reporting by Bloomberg, CNBC, and Krebs on Security, the attackers found the name of an MGM IT employee and located the company’s IT helpdesk number through publicly available sources.

Phase 2 — Helpdesk Vishing: Scattered Spider called the MGM IT helpdesk, impersonated the identified employee, and claimed to be locked out of their account and needing an MFA reset. The attacker knew the employee’s name, job title, and potentially their department and location — all available via LinkedIn. The social engineering required approximately 10 minutes. The helpdesk agent, following normal IT service desk procedures (resolve the issue, restore access), reset the MFA credentials.

Phase 3 — Initial Access & Lateral Movement: With valid credentials and MFA reset, Scattered Spider gained initial access to MGM’s Okta identity platform. From Okta, the group moved laterally to the MGM network, escalating privileges and establishing persistence. CISA and FBI’s published advisories on UNC3944 describe their standard lateral movement techniques: Okta org hijacking, Azure Active Directory enumeration, and targeting of VMware ESXi hypervisors for maximum ransomware impact.

Phase 4 — ALPHV/BlackCat Ransomware Deployment: After establishing deep network access, Scattered Spider deployed ALPHV/BlackCat (also known as Noberus) ransomware. ALPHV/BlackCat is a sophisticated ransomware-as-a-service (RaaS) operation. The ransomware encrypted systems across MGM’s infrastructure, including the property management system (PMS), gaming systems, and hotel key card management systems. The group also exfiltrated data before encryption — the standard “double extortion” model.

Phase 5 — Extortion: Scattered Spider published a ransom demand and, when MGM refused to pay, continued the attack and made public statements claiming responsibility. Unlike Caesars (which paid), MGM chose to restore from backups and rebuild affected systems rather than pay.

Business Impact

MGM disclosed in its SEC 10-Q filing for Q3 2023 that the cybersecurity incident reduced its Adjusted Property EBITDAR by approximately $100 million for the Las Vegas Strip properties alone. This figure covers: lost gaming revenue during the 10-day outage, reduced hotel occupancy, cost of remediation and forensic investigation, regulatory compliance costs, and guest compensation. MGM also disclosed the attack in a September 14, 2023 Form 8-K filed with the SEC under the new cybersecurity incident reporting rules — one of the first major hospitality companies to make such a disclosure.

The guest-facing impact was visible and immediate: major media coverage featured photos of dark slot machine floors, guests sleeping on casino floors unable to access locked hotel rooms, and manual check-in processes using pen and paper. MGM’s stock fell approximately 6% in the days following the public disclosure.

What a Trained Team Would Have Caught

The MGM breach had a single control failure: the helpdesk agent processed an MFA reset from a cold call without adequate identity verification. A trained helpdesk would have had a documented identity verification protocol: at minimum, a callback to a number in the company’s HR system (not the number the caller provides), a code word known only to the employee, or a verification approval from the employee’s manager via the ticketing system. None of these are technically complex. All of them stop this attack.

Quick Test

Could your team pass a phishing simulation?

Most SMB teams don't know how bad their phishing exposure is until an attack succeeds. Take 3 minutes to get a real-world baseline of your team's detection ability.

Take the 60-Second Phishing IQ Quiz →

Case 2: Caesars Entertainment — September 2023

Incident Summary

Weeks before the MGM attack became public, Scattered Spider had already successfully compromised Caesars Entertainment — and Caesars had already paid the ransom. Caesars disclosed the incident in a September 14, 2023 SEC 8-K filing, filed the same day as MGM’s initial disclosure — a coincidence that turned two major hospitality breaches into a single national news event.

Caesars confirmed in its 8-K that it had “paid a ransom demand” to an unidentified threat actor. Bloomberg News reported the ransom was approximately $30 million, and that Caesars negotiated it down to approximately $15 million. Caesars’ loyalty database was the primary exfiltration target.

Attacker TTPs

The Caesars attack followed the same Scattered Spider playbook as MGM. The group used social engineering to compromise an identity provider (likely Okta), then moved laterally to target the Caesars Rewards loyalty database. The loyalty database contained driver’s license numbers and Social Security numbers for a “significant number of members,” according to the SEC filing.

The critical difference between the MGM and Caesars outcomes: Caesars chose to pay. In their 8-K, Caesars stated they “took steps to ensure that the stolen data is deleted by the unauthorized actor,” acknowledging the payment while noting they “cannot guarantee this outcome.” This is standard ransomware post-payment disclosure language: you pay, you get a promise, you cannot verify it was kept.

Business Impact

Caesars’ SEC 8-K confirmed the ransom payment but noted that “no disruption to guest-facing systems” occurred — distinguishing it from MGM’s operational outage. However, the breach exposed the personal data of millions of Caesars Rewards members, triggering state data breach notification requirements across multiple states and class action litigation. The $15M ransom payment was disclosed as a “lone-time” expense in Caesars’ subsequent earnings. Total costs including legal fees, notification expenses, and remediation likely exceed $30 million.

What a Trained Team Would Have Caught

The same helpdesk identity verification protocol that would have stopped the MGM attack applies to Caesars. The difference is that Caesars likely caught the compromise earlier and chose a different response (pay rather than restore), but both attacks began identically. There is also a broader lesson: paying the ransom did not prevent litigation, regulatory notification obligations, or class action exposure. The ransom payment bought Caesars the claim that the data “may” have been deleted — not a guarantee of it. Trained staff who stop the attack at the helpdesk stage avoid both the ransom and all downstream consequences.

Case 3: Marriott International / Starwood Hotels — 2014–2018

Incident Summary

The Marriott/Starwood breach is, by record count, one of the largest data breaches in history. It affected up to 500 million guest records, included passport numbers for approximately 5.25 million guests, and involved a state-sponsored attacker who maintained persistent access for nearly four years — two of them inside a network that Marriott had already acquired.

The breach began at Starwood Hotels & Resorts Worldwide in 2014, before Marriott’s acquisition. Chinese intelligence operatives (attributed to the Ministry of State Security) compromised Starwood’s reservation system and maintained persistent access. When Marriott acquired Starwood in 2016, the attacker remained inside. Marriott didn’t discover the breach until September 2018, four years after the initial intrusion, during a security review that found unauthorized access to the Starwood guest reservation database.

Attacker TTPs

Unlike Scattered Spider’s social engineering approach, the Marriott/Starwood breach was a sophisticated nation-state intrusion. Attribution to Chinese state-sponsored actors was confirmed by the U.S. Department of Justice in an indictment of two Chinese nationals in October 2018. The attackers used standard APT techniques: initial compromise of internet-facing systems, lateral movement using living-off-the-land techniques (using legitimate system tools to avoid detection), deployment of remote access tools (RATs) for persistent access, and data exfiltration in encrypted, compressed archives designed to evade DLP tools.

The most operationally significant TTP was the persistence across the acquisition. When Marriott purchased Starwood, standard M&A cybersecurity due diligence should have included a comprehensive security assessment of Starwood’s network. The attacker had been present for two years by the time of acquisition. A thorough assessment would likely have detected indicators of compromise — but the assessment wasn’t comprehensive enough to find a patient, well-hidden threat actor.

Business Impact

The regulatory and legal consequences of the Marriott/Starwood breach extended for years after the 2018 discovery. The UK Information Commissioner’s Office (ICO) issued a GDPR fine of £18.4 million (approximately €18.4 million at the time) in October 2020 — reduced from an initial proposed fine of £99 million after Marriott cooperated with the investigation and implemented remediation measures. In the United States, a multistate attorney general coalition investigated and reached a $52 million settlement with Marriott in October 2024 — six years after the breach was discovered. A class action settlement of approximately $52 million was also approved. The total regulatory and legal cost exceeds $100 million when legal fees are included.

Beyond the financial penalties, the Marriott/Starwood breach had lasting reputational consequences. The phrase “Marriott breach” became shorthand for acquisition due diligence failure and lengthy undetected intrusions. It also directly contributed to the development of the UK GDPR enforcement approach for inadequate security practices — the ICO cited the failure to identify the compromise during the acquisition as a key aggravating factor.

What a Trained Team Would Have Caught

The Marriott breach involved two separate defensive failures. The first was Starwood’s original compromise in 2014 — likely via a vulnerability in an internet-facing system that trained security staff might have patched more quickly. The second, and more instructive failure, was the post-acquisition security assessment. Marriott’s team should have run a comprehensive threat-hunt on Starwood’s network before integrating it with Marriott’s systems. The attacker persisted because nobody looked carefully enough. For most hospitality companies, the lesson is simpler: regularly hunt for anomalous data flows in your reservation system. Large exfiltration events — even compressed and encrypted — leave network traffic signatures that trained responders learn to look for.

Case 4: IHG (InterContinental Hotels Group) — September 2022

Incident Summary

In September 2022, InterContinental Hotels Group (IHG), the parent company of Holiday Inn, Crowne Plaza, InterContinental, and Kimpton, confirmed a cybersecurity incident that disrupted booking systems and IHG’s mobile app. The attack was attributed to a threat actor operating under the name Vinny and Ragged, who claimed to the BBC that they had breached IHG’s systems using credentials found in a publicly accessible configuration file and then deployed a wiper to destroy data when their ransomware demands were rejected.

Attacker TTPs

The IHG attack is notable for its unusual attack vector and deliberate destructiveness. According to the BBC’s reporting, the attackers gained initial access by finding IHG’s IT credentials stored in an internal password manager document that was “easily accessible to all staff.” The specific credential involved: an admin account with the password “Qwerty1234,” storing enterprise database access credentials. Once inside, the attackers moved laterally through IHG’s network. When IHG detected the intrusion and began blocking their activity, the attackers abandoned the ransomware deployment and instead ran a wiper script to destroy data in frustration — what the attackers described as a “JohnWick attack.”

The IHG case demonstrates a class of credential security failure that sits between technical vulnerability and human behavior. The password “Qwerty1234” for an enterprise admin account storing database credentials is a human decision failure. The storage of those credentials in a broadly accessible internal document is a policy failure. Neither required sophisticated attack tooling to exploit.

Business Impact

IHG’s booking systems and mobile app were disrupted for multiple days. The company disclosed the incident in a stock market filing, noting “unauthorized access to a number of its technology systems.” IHG operates over 6,000 hotels globally; disruption to the central booking platform affected reservations across the portfolio. The wiper attack destroyed data on affected systems, complicating recovery and extending downtime beyond what a standard ransomware recovery would require.

What a Trained Team Would Have Caught

The IHG breach was preventable by controls that have nothing to do with advanced threat detection. A password policy that prohibits common passwords (and enforces it technically, not just in writing) would have stopped step one. A policy prohibiting storage of enterprise credentials in broadly accessible documents — and regular audits to enforce it — would have stopped step two. Training your IT and finance staff to understand credential hygiene is not a technical control: it’s a human awareness change. The IHG attacker said they spent five minutes finding the credentials. A trained team wouldn’t have left them there.

Case 5: Omni Hotels & Resorts — May 2024

Incident Summary

In late March and early April 2024, Omni Hotels & Resorts experienced a ransomware attack attributed to the Daixin Team, a ransomware group active since 2022. Omni publicly confirmed the incident on April 8, 2024, noting that their systems were taken offline as a “precautionary measure.” Properties across the US and Canada were affected.

The Daixin Team later claimed responsibility and stated they had exfiltrated approximately 3.5 GB of data including guest personally identifiable information (PII): names, email addresses, mailing addresses, and Omni loyalty program (Select Guest) member data. The group demanded a ransom and, when Omni reportedly refused, threatened to release the data. The group subsequently posted what they claimed was sample data publicly.

Attacker TTPs

The Daixin Team is a financially motivated threat actor that primarily targets the hospitality and healthcare sectors. Their TTPs were described in a CISA advisory (AA22-294A) in October 2022: initial access via phishing or exploitation of vulnerable VPN credentials, lateral movement using Remote Desktop Protocol (RDP), credential harvesting using Mimikatz (a tool that extracts passwords from Windows memory), and deployment of ransomware based on leaked Babuk ransomware source code. At Omni, the attack followed this pattern: initial compromise, lateral movement across Omni’s corporate network, encryption of production systems, and exfiltration of guest data before encryption.

Business Impact

Omni’s hotel key card systems, reservation systems, and point-of-sale systems were taken offline. Guests at affected properties were unable to use key cards, and check-in processes reverted to manual. The operational disruption lasted approximately four days before systems were restored. Omni notified affected guests and state attorneys general of the data breach per state notification laws, disclosing that loyalty member data including names, addresses, email addresses, and Select Guest member information had been compromised. Class action litigation followed, alleging Omni failed to implement adequate security controls to protect guest data.

What a Trained Team Would Have Caught

The Daixin Team’s initial access vector at Omni hasn’t been publicly confirmed, but their typical approach — phishing or VPN credential exploitation — is addressable through staff training. If initial access was via phishing, a trained team that recognizes phishing indicators and reports rather than clicks stops the attack at entry. If initial access was via compromised VPN credentials, MFA on VPN login (which CISA has repeatedly mandated as a baseline control) would have prevented lateral movement. The common thread: the controls that stop Daixin Team at entry are the same controls that stop most hospitality ransomware attacks.

Case 6: Motel One Group — September 2023

Incident Summary

In September 2023 — the same week as the MGM and Caesars attacks — ALPHV/BlackCat ransomware group published data claiming to be from Motel One, a European budget hotel chain with properties across Germany, Austria, the UK, and other European markets. Motel One confirmed the breach in early October 2023, acknowledging that approximately 150 GB of data had been exfiltrated, including “credit card data” for some customers.

The timing — three major hospitality breaches within weeks of each other — was not coincidence. ALPHV/BlackCat is a ransomware-as-a-service (RaaS) operation with multiple affiliated groups using its platform. The Motel One breach and the MGM Resorts breach were both attributed to ALPHV/BlackCat affiliates, though likely different affiliates using different initial access techniques. The convergence of attacks on hospitality in the same month reflects the sector’s standing as a high-value target, not operational coordination.

Attacker TTPs

The specific initial access vector in the Motel One breach has not been publicly confirmed. ALPHV/BlackCat affiliates use a range of initial access techniques: phishing, exploitation of unpatched vulnerabilities in internet-facing systems, and purchasing compromised credentials from initial access brokers (IABs) on cybercrime forums. The exfiltration of 150 GB of data — including credit card data — prior to encryption suggests the attackers had extended access before triggering the ransomware, consistent with ALPHV/BlackCat’s standard double-extortion model.

Business Impact

Motel One acknowledged the breach and notified affected customers in Germany and Austria under GDPR’s 72-hour notification requirement. The disclosure of payment card data triggered PCI-DSS incident response obligations, including mandatory notification to card brands and forensic investigation. The ALPHV/BlackCat group published what it claimed was sample data including bookings, correspondence, and partial card numbers. Motel One subsequently cooperated with German and Austrian data protection authorities on notification and remediation.

What a Trained Team Would Have Caught

Without confirmed initial access details, the actionable lessons from Motel One are at the detection layer: monitoring for large data exfiltration events (150 GB leaving the network in compressed archives is anomalous) and enforcing the technical controls that limit what an attacker can reach once inside. Network segmentation that isolates payment card systems from general corporate systems — required by PCI-DSS — limits the blast radius if initial access is achieved. A trained SOC or managed detection and response (MDR) team monitoring for data exfiltration patterns would likely have detected the 150 GB outflow before encryption completed.

Case 7: Franchise POS Compromise — Hyatt & Hilton Franchise Properties (2015–2017)

Incident Summary

While the 2023–2024 attacks capture headlines, the most persistent long-term threat to hospitality is POS malware targeting franchise properties. Between 2015 and 2017, both Hyatt Hotels Corporation and Hilton Hotels & Resorts disclosed POS malware compromises affecting franchise and managed properties globally. Hyatt’s 2015 disclosure affected 250 hotel locations in 50 countries. Hilton’s 2015 disclosure affected hundreds of thousands of payment cards across Hilton, Waldorf Astoria, Embassy Suites, and DoubleTree properties. Both attacks involved memory-scraping malware installed on POS terminals, harvesting payment card track data during the authorization window.

Attacker TTPs

POS malware in the hospitality sector typically follows a consistent pattern: attackers compromise remote access credentials used by POS vendors for system maintenance (often via phishing or credential stuffing), use that access to install memory-scraping malware on POS terminals, and configure the malware to harvest card track data (the magnetic stripe data used in card-present transactions) during the microsecond window when it’s processed in the terminal’s memory. The harvested data — full magnetic stripe data — can be encoded onto blank cards and used for card-present fraud anywhere in the world.

The franchise-specific amplification: Hyatt and Hilton both operate primarily through franchise and management contracts. Individual franchise operators control their own IT environments and POS systems, subject to brand standards. When a franchise operator’s POS vendor has weak remote access credentials, the brand faces reputational and regulatory consequences for a breach it didn’t directly cause and couldn’t directly prevent. The brand’s name is on the door — not the franchise operator’s — so the brand bears the customer notification burden.

Business Impact

Hyatt and Hilton both incurred PCI-DSS investigation costs, card brand fines, and card reissuance costs (estimated at $10–15 per card reissued). With hundreds of thousands of cards compromised across multiple properties, the financial exposure ran into the tens of millions. Both companies were required to demonstrate PCI-DSS compliance improvements as a condition of maintaining payment card acceptance. The franchise-level breaches also created friction between brands and franchise operators over who bore responsibility for remediation costs.

What a Trained Team Would Have Caught

POS malware via vendor remote access is one of the most preventable attack vectors in hospitality. The controls that stop it: (1) Require MFA on all POS vendor remote access sessions. (2) Restrict vendor remote access to scheduled maintenance windows only, not persistent “always-on” access. (3) Require separate credentials for each vendor; never share a single remote access account across multiple vendors. (4) Deploy network monitoring that alerts on anomalous data flows from POS terminal IP addresses. A trained operations manager who understands why these controls matter — and who reviews the vendor access log quarterly — is the enforcement mechanism that makes these technical controls effective. PCI-DSS Requirement 12.6 exists precisely because this training is the implementation gap most commonly cited in PCI forensic investigations.

The Scattered Spider Pattern: Vishing Methodology Deep Dive

Because Scattered Spider’s technique is the defining threat to the hospitality sector in the current period, it’s worth documenting the exact methodology in detail.

Step 1: Target Identification. Scattered Spider uses LinkedIn to identify IT helpdesk staff, IT managers, and employees with titles suggesting system access (IT Support, IT Operations, Systems Administrator, Identity & Access Management). They look for employees at large hospitality companies who have posted their job titles and employers publicly. They also target employees who have publicly listed certifications (CompTIA Security+, Microsoft certifications) that suggest technical IT roles.

Step 2: Pretext Construction. Once a target employee is identified, Scattered Spider researches their background: manager name (often listed in LinkedIn recommendations), team name, location, and any recent company news. They construct a pretext — a false reason for calling — that’s consistent with the employee’s role and plausible in context. The most common pretext: “I’m traveling, my phone was stolen, and I can’t receive my MFA codes. I need you to reset my MFA so I can get back into my email.”

Step 3: The Call. Scattered Spider calls the IT helpdesk — a number often listed on internal intranet pages that may be findable via OSINT. They’re native English speakers with normal American accents (Scattered Spider members are typically young adults in the US and UK), which eliminates the accent red flag that older social engineering training focused on. They’re calm, collegial, and slightly apologetic — “I know this is a pain, I’m really sorry to bother you.” They apply subtle pressure: “I’ve got a call with the GM in 20 minutes and I can’t get in.”

Step 4: MFA Reset. If the helpdesk agent processes the reset without adequate identity verification, the attacker immediately signs in with the legitimate user’s credentials and the new MFA device they control. At this point, they have a valid, authenticated session in the corporate identity platform. The attack has succeeded. Everything that follows — lateral movement, ransomware deployment — is execution on an initial access that was granted voluntarily by a trained employee following normal procedures.

Step 5: Identity Platform Exploitation. Scattered Spider is particularly proficient at Okta and Microsoft Entra ID exploitation. Once inside the identity platform, they enumerate users with privileged access, identify service accounts with broad permissions, and use the identity platform to move laterally to cloud infrastructure, VMs, and production databases. CISA’s advisory on UNC3944 (AA23-320A) documents their specific techniques for Okta org hijacking and Azure AD exploitation.

The counter-technique is straightforward but requires training and procedure: Never process an MFA reset from a cold call alone. Always call back on a number from the company directory — not the number the caller provides. Require manager approval via the ticketing system for any MFA reset. These are not difficult technical controls. They require trained humans who know why the verification matters and who feel empowered to say “I’m going to need to verify this through our standard process” without feeling like an unhelpful employee.

Compliance Exposure: The Four-Framework Stack

A hospitality breach doesn’t trigger a single regulatory response. It triggers a stack. Understanding the stack matters because each framework has different notification timelines, different documentation requirements, and different penalty exposure.

PCI-DSS v4.0 applies to every transaction touchpoint. For franchise operators, this means every front-desk terminal, restaurant POS, spa booking system, and online checkout. PCI-DSS v4.0 Requirement 12.6 specifically requires “a formal security awareness program to make personnel aware of the entity’s information security policies and procedures, and their role in protecting the entity’s cardholder data.” This is not optional and is not satisfied by a one-time video. It requires documented, periodic training with verified completion records. Card brand violations can result in $5,000–$100,000 in monthly fines plus mandatory forensic investigation costs.

GDPR applies to any EU resident’s data, regardless of where the hotel is located. Marriott’s £18.4M GDPR fine established that hotel chains storing EU guest data are subject to GDPR enforcement regardless of the hotel’s primary jurisdiction. For US properties serving international guests, the key obligations are: 72-hour breach notification to the relevant DPA, documented lawful basis for each data processing activity (including why you retain passport data beyond check-in), and evidence that you’ve conducted adequate security training for staff processing EU resident data.

State breach notification laws in all 50 US states require notification to affected residents and, in most states, to the state attorney general. Timelines vary (30–90 days depending on state), but the Marriott multistate AG settlement — $52 million — illustrates the collective penalty exposure when a breach affects residents across multiple states simultaneously.

FTC Safeguards Rule applies to hotel companies that operate financial products: co-branded credit cards, loyalty financing programs, or insurance products requiring a financial services license. For these companies, the FTC Safeguards Rule mandates a written security program, annual risk assessments, documented employee training, and vendor oversight. Violations carry civil penalties of up to $51,744 per violation per day.

The Training Gap That Creates All the Others

Across all seven cases in this article, a common thread emerges: the technical controls that would have stopped each attack exist, are often already partially deployed, and fail because the humans operating them weren’t trained to use them correctly.

The MGM helpdesk agent had an MFA reset procedure. They just didn’t have a verification procedure to go with it. The IHG IT team had a password manager. They just stored it in a broadly accessible document without understanding the risk. The franchise POS operators had vendor access contracts. They just didn’t have a monitoring process to check what vendors actually did with that access.

Technical controls are only as effective as the people who implement and operate them. PCI-DSS Requirement 12.6 exists because PCI forensic investigations repeatedly found the same root cause: the humans responsible for cardholder data environment security hadn’t been trained on the specific threats they faced. Not “security awareness training” in the generic “don’t click suspicious links” sense. Training on the specific attack patterns targeting their role: the vishing call to the helpdesk, the invoice phishing email to the accounts payable clerk, the vendor credential reuse that compromises the POS terminal.

This specificity is the difference between a training program that satisfies a compliance checkbox and one that stops an attack. The SecurEveryone training methodology for hospitality is built around the three drills that map to the three highest-frequency attack vectors in the sector: helpdesk social-engineering resistance, front-desk phishing recognition, and wire-transfer fraud verification for finance and property management teams.

What to Do This Week

  1. Implement a helpdesk MFA reset verification protocol this week. Write a one-page procedure: all MFA reset requests require a callback to the number in the company HR system (not a number provided by the caller), and approval from the employee’s direct manager via the ticketing system. Distribute it to every helpdesk agent and IT support staff member. Review it in the next team meeting. This single control stops the Scattered Spider attack chain.
  2. Audit your POS vendor remote access. Pull every vendor that has remote access to your POS terminals or property management system. Verify: is MFA required for their remote sessions? Is access limited to scheduled maintenance windows? When was the last time you reviewed the access log? The Hyatt and Hilton POS malware attacks persisted for months because nobody checked the vendor access logs.
  3. Download the Vishing Defense Playbook (free at /free-vishing-playbook). It includes the Scattered Spider playbook step-by-step, the identity verification protocol for IT helpdesks, and tabletop scenarios for practicing the response before the call comes.
  4. Check your GDPR notification procedure for European guests. If you accept EU guests, you have a 72-hour window to notify the relevant DPA after a breach. Most US hotels don’t have this procedure written down. Write it now: who decides a breach has occurred, who notifies the DPA, what data is included in the notification, and what guests are told.
  5. Book a property-wide training session. The SecurEveryone hospitality program covers helpdesk social-engineering resistance, front-desk phishing recognition, and wire-transfer fraud verification in a single 90–120-minute session. PCI-DSS Req. 12.6 documentation included. Available for individual staff at $150, management teams at $390, or property-wide at $900 flat (unlimited attendees).

The hospitality sector’s cybersecurity problem is not a technology gap. MGM had Okta. Marriott had a security team. Caesars had compliance programs. Every one of these organizations had technical controls. What failed, in each case, was a human decision made by a person who hadn’t been trained on the specific attack pattern they were facing. Scattered Spider called the helpdesk because that’s the easiest door — and hospitality helpdesks are trained to open it.

One protocol. One training. One session. That’s the gap between the MGM outcome and a refused social engineering attempt that gets reported to the security team and blocked.

Related Resources

The hospitality sector’s cybersecurity challenge is uniquely human. Every major breach documented in this article had a human decision point where trained behavior would have produced a different outcome. See the SecurEveryone hospitality program and book the training that builds those behaviors before the next call comes.

Sources: MGM Resorts 10-Q Q3 2023 SEC filing · MGM Resorts Form 8-K (September 14, 2023) · Caesars Entertainment Form 8-K (September 14, 2023) · Bloomberg News reporting on MGM and Caesars (September 2023) · Krebs on Security: “Scattered Spider” analysis (October 2023) · CISA Advisory AA23-320A (UNC3944/Scattered Spider) · CISA/FBI Advisory AA22-294A (Daixin Team) · UK ICO Marriott International penalty notice (October 2020) · DOJ Criminal Complaint, US v. Jiang Lizhi et al. (October 2018, Starwood attribution) · Multistate AG Marriott settlement (October 2024) · BBC News: IHG breach reporting (September 2022) · Hyatt Hotels Corporation breach disclosure (December 2015) · Hilton Hotels breach disclosure (November 2015) · Omni Hotels breach disclosure (April 2024) · IBM/Ponemon Cost of a Data Breach Report 2024 · Verizon DBIR 2024 Hospitality sector analysis · PCI Security Standards Council PCI-DSS v4.0 (March 2022, effective March 2025)