MGM Resorts: The Helpdesk as Attack Surface

Public reporting on the MGM breach describes a fast-moving helpdesk impersonation attack. The caller reportedly used employee information found on LinkedIn, requested a password reset, and gained access to identity infrastructure including Okta and cloud services. The exact internal timeline remains based on reporting rather than a full public technical postmortem.

The reporting framed it as a social engineering attack. That framing is correct and stops too early.

The helpdesk in a global hospitality operation runs around the clock, staffed by people whose performance is measured on speed of resolution and customer satisfaction. The protocols that govern identity verification on those calls are written by security teams who do not work the late shift, do not field the angry senior who claims they have a client meeting in fifteen minutes, do not absorb the cost of saying no when the caller turns out to be legitimate.

The attacker did not break Okta. They walked through the gap between the people who design verification processes and the people who execute them. The first group has the authority to design protocols that frustrate the second group. The second group has the authority to skip those protocols when frustration meets a calm voice on the line. Both behaviours are rational from where they sit.

MGM invested heavily in recovery after the incident, but the asymmetry that produced the original call, the gap between the people who write protocols and the people who absorb the cost of enforcing them, remains the same.

Helpdesks sit between policy and labour, between the people who write the rules and the people who absorb the cost of enforcing them. An attacker who understands that chain does not need to break anything technical; only to sound like the people the helpdesk is trained not to refuse.