Ransomware. POS malware. Loyalty account takeover. Vishing the front-desk helpdesk. Hospitality is the #1 publicly named Scattered Spider target sector — and the attack vector requires no technical skill.
Defining breaches in the hospitality sector
⚠ Active Threat — Scattered Spider
CISA and FBI have issued joint advisories on Scattered Spider's hospitality targeting.
Scattered Spider (UNC3944) specializes in vishing IT helpdesks to bypass MFA. They research targets on LinkedIn, call posing as employees, and persuade helpdesk agents to reset MFA credentials. Once in, they move laterally and deploy ransomware. The entire attack chain starts with a phone call — not a malware exploit. Training your helpdesk with identity verification protocols is the primary control. Download the Vishing Defense Playbook →
The hospitality sector's threat profile is uniquely complex: constant staff turnover, distributed POS infrastructure, loyalty programs worth millions, and helpdesks trained to be helpful — not skeptical.
Scattered Spider's core technique: call the IT helpdesk, impersonate an employee, request an MFA reset. MGM's helpdesk agent followed normal procedure — they just didn't have a protocol that stopped it. The fix is not technical. It's a trained verification procedure.
Hotel restaurant POS terminals, resort spa booking systems, valet parking kiosks, and online booking platforms are all in-scope under PCI-DSS. Attackers compromise vendor remote access to install card-scraping malware. The data is exfiltrated in small batches over months before discovery.
Loyalty points are currency. Attackers use credential stuffing (testing billions of leaked username/password pairs) to compromise loyalty accounts and redeem points for gift cards or cash. Caesars Entertainment's $15M breach specifically targeted its loyalty database. Each compromised account costs an average of $250 in fraudulent redemptions.
Hotel management systems (PMS), door key systems, and reservation platforms are interconnected. When ransomware deploys, it all stops: MGM's slot machines went dark, room keys stopped working, and guests couldn't check in. The operational impact of a ransomware attack in hospitality is immediate and visible to every guest on property.
Scattered Spider vished MGM's IT helpdesk using an employee's LinkedIn profile. After an MFA reset, the group moved laterally and deployed ALPHV/BlackCat ransomware. Slot machines went offline. Hotel keys stopped working. Reservations became manual. 10-day operational outage.
~$100M Total impact · 10-day outage · SEC 8-K filedSame Scattered Spider group attacked Caesars weeks before MGM. Caesars paid the $15M ransom to avoid operational disruption. SEC 8-K disclosed loyalty database theft — driver's license numbers and Social Security numbers of loyalty members.
$15M Ransom paid · Loyalty DB stolen · SEC 8-KState-sponsored attackers maintained persistent access inside Starwood's network for four years before Marriott acquired it in 2016 — and the intrusion continued through 2018. 500M+ guest records including passport numbers, payment cards, and loyalty data. €18.4M GDPR fine; $52M multistate AG settlement in 2024.
500M+ Records · €18.4M GDPR · $52M AG settlementDaixin Team ransomware attacked Omni properties across the US and Canada. Reservation systems taken offline. Hotel door keys stopped working. Guest check-in became manual paper-based processes. Guest data including contact details and loyalty information was exfiltrated and threatened for release.
Multi-site US + Canada properties · Guest data exfiltratedA single breach at a hotel property can trigger four regulatory frameworks simultaneously. Here's what each requires and what the penalty exposure looks like.
| Regulation | Agency | Key Requirement for Hotels | Penalty |
|---|---|---|---|
| PCI-DSS v4.0 | Card Brands (Visa, Mastercard, Amex) | Security training for all staff handling cardholder data (Req. 12.6); MFA for non-console admin access (Req. 8.3); payment page integrity monitoring for online bookings (Req. 11.6) | $5K–$100K/month |
| GDPR (UK/EU) | ICO (UK) / National DPAs (EU) | Lawful basis for guest data collection; 72-hour breach notification; right to deletion; data minimization; documented staff training | Up to €20M or 4% revenue |
| State Breach Notification Laws | State AGs — 50 states | Notify affected residents (30–90 day windows vary by state); notify AG when breach exceeds threshold; document root cause and remediation | $5K–$25K per violation |
| FTC Safeguards Rule | Federal Trade Commission | Applies to hotels operating financial products (loyalty financing, co-branded cards); written security program; annual risk assessment; employee training; vendor oversight | $51,744/violation/day |
| NYDFS Part 500 | New York Dept. of Financial Services | Applies to NYC properties operating under NY financial services licenses; written cybersecurity program; CISO; 72-hour notification; annual board certification | $1,000/violation |
Generic security awareness training doesn't address the specific attack patterns hitting hotels and casinos. These three drills do — starting with the one that took down MGM.
Walk your helpdesk and front-desk team through the exact Scattered Spider playbook: LinkedIn OSINT, impersonation call scripts, urgency pressure tactics, and the identity verification protocols that stop an MFA reset cold — before it happens.
Front-desk agents and reservations staff receive phishing emails every day — fake OTA invoices, fake corporate rate inquiries, fake vendor updates. This drill covers the specific phishing patterns targeting hotel operations staff and how to recognize them before clicking.
BEC wire fraud targeting hotel finance and property management teams follows a predictable pattern: impersonate a franchisor, brand, or vendor; request a change in banking details; intercept the next wire transfer. This drill walks through the attack pattern and the callback verification protocol that stops it.
No per-seat licensing. No annual contracts. Book a session, train your property, done.
Free Download
The Scattered Spider playbook, step by step — plus the identity verification protocol that stops helpdesk social engineering before it succeeds. Built specifically for hospitality IT and front-desk teams.
Scattered Spider (UNC3944) researched MGM employees on LinkedIn, identified an IT helpdesk number, then called impersonating a staff member — claiming they were locked out of their account and needed an MFA reset. The helpdesk agent complied without sufficient identity verification, granting the attacker access. From there, the group moved laterally and deployed ALPHV/BlackCat ransomware across MGM's network. The September 2023 attack caused approximately $100 million in losses, shut down slot machines, hotel key systems, and reservations for 10 days, and triggered an SEC 8-K disclosure. The attack vector — vishing the helpdesk — required zero technical skill. It required a phone and a LinkedIn account.
PCI-DSS v4.0 (effective March 2025) requires hotels to protect all payment card data across every touchpoint — front desk terminals, restaurant POS, resort spa, parking, and any third-party booking platform that passes card data. Key changes in v4.0 relevant to hospitality: Requirement 12.6 mandates a formal security awareness program with documented training for all staff who interact with cardholder data. Requirement 8.3 strengthens MFA requirements. Requirement 11.6 adds new requirements for monitoring payment pages for card-skimming scripts (critical for online booking platforms). Violations can result in fines of $5,000–$100,000 per month from card brands, mandatory forensic investigation costs, and potential loss of payment processing capability.
Hospitality loyalty programs contain millions of accounts with accumulated points worth real money — Marriott Bonvoy, Hilton Honors, and Caesars Rewards credits are all convertible to travel, cash, and merchandise. Attackers use credential stuffing (testing leaked username/password combinations from other breaches) to gain access to loyalty accounts, then immediately redeem points for gift cards, hotel nights, or cash transfers before the legitimate user notices. Caesars Entertainment's September 2023 breach specifically targeted its loyalty database. The defense: enforce MFA on loyalty account logins, monitor for impossible-travel logins, send immediate notifications on point redemption, and cap daily redemption amounts for new device logins.
Yes — if your hotel property serves EU residents (regardless of where they're staying), GDPR applies to how you collect, process, and store their personal data. This includes passport data, payment information, preferences, loyalty account data, and marketing communications. Marriott's GDPR fine for the Starwood breach — €18.4 million — was assessed by the UK ICO. Key requirements: data minimization (don't store passport scans longer than check-in requires), consent for marketing emails, right to deletion upon guest request, 72-hour breach notification to regulators, and documented data processing records. Training your front desk and reservations staff on what data you're allowed to collect and retain is a GDPR compliance requirement.
NYDFS 23 NYCRR Part 500 applies to hospitality companies regulated as financial services companies in New York — primarily hotel companies operating their own financing, loyalty redemption programs, or insurance offerings requiring a New York financial services license. Separately, hotels storing significant amounts of NY resident data may be subject to the NY SHIELD Act and NY General Business Law §899-aa breach notification requirements. Marriott's 2018 breach contributed to the multi-state AG investigation resulting in a $52 million settlement in October 2024. If you operate a NYC property and handle financial products, consult your compliance counsel on Part 500 applicability.
Yes — and it's the only control that reliably stops it. Scattered Spider's helpdesk vishing technique requires a human to comply. Technical controls (firewalls, EDR) don't catch a social engineering call. What does: (1) A trained helpdesk that always asks for a manager callback on any MFA reset request; (2) An identity verification protocol — a code word, a known-good callback number, or out-of-band confirmation from the user's manager; (3) Regular simulated vishing exercises so helpdesk staff recognize the pressure tactics; (4) Clear escalation procedures so a suspicious call gets flagged immediately. MGM's helpdesk agent followed normal procedures — they just didn't have a protocol that required verification before an MFA reset. One trained response stops the entire attack chain.
Book a live session today. Sessions are 60–120 minutes, held over Zoom, and built around your property's specific helpdesk procedures, POS environment, and compliance requirements.