Scattered Spider's attacks have directly caused operational shutdowns — MGM Resorts reported estimated losses exceeding $100 million from a single incident. The group targets help desks and identity systems, meaning a successful intrusion can grant attacker access equivalent to a legitimate IT administrator, enabling ransomware deployment, data theft, and extortion across cloud and on-premises environments. Organizations in entertainment, hospitality, telecommunications, and technology sectors with outsourced IT support or BPO help desk functions face elevated exposure, and regulatory obligations under PCI-DSS, state breach notification laws, and telecom regulations may be triggered depending on the data accessed.
You Are Affected If
Your organization uses SMS or voice call as an MFA factor for privileged or remote-access accounts
Your help desk or IT support function accepts verbal or self-reported identity verification for MFA resets without out-of-band confirmation
You operate in entertainment, hospitality, telecommunications, technology, BPO, or financial services sectors — all named Scattered Spider target verticals
Your identity provider (Okta, Azure AD, Ping) is internet-accessible and supports self-service MFA enrollment or recovery
You use a third-party BPO or outsourced help desk that may not enforce the same identity verification standards as internal staff
Board Talking Points
A well-documented criminal group continues attacking companies in our sector by impersonating employees to reset account access — arrests have not stopped their operations.
We should complete a review of our help desk identity verification procedures and MFA standards within 30 days and confirm alignment with NIST SP 800-63B.
Organizations that did not act after the MGM and Caesars incidents faced operational shutdowns and losses exceeding $100 million — inaction on identity controls carries direct financial exposure.
PCI-DSS — Scattered Spider has targeted organizations processing payment card data; successful identity-based intrusion enabling access to cardholder data environments triggers PCI-DSS breach notification and forensic investigation requirements
FCC / CPNI — SIM swapping attacks against telecom account holders may implicate Customer Proprietary Network Information (CPNI) protection obligations under FCC rules
State Breach Notification Laws — multiple named victims (MGM, Caesars, MailChimp, Twilio, DoorDash) held consumer PII; identity-based intrusions accessing that data trigger notification obligations under applicable state statutes
