What the Hack? – Episode 238: The Phone Call that Broke the Bank

Date: February 10, 2026
Host: Beau Friedlander
Guest: Charlotte Jupp, VP of Customer Success at Outthink
Featured Contributor: Chris Tarbell, Former FBI Agent

Episode Overview

This episode takes listeners inside one of the most high-profile cyberattacks of recent years: the MGM Resorts breach in Las Vegas. By dissecting how a single phone call led to $100 million in damages, the hosts and expert guests spotlight the persistent risk humans pose to even the most tightly controlled environments. The episode breaks down how threat actors leverage social engineering, the evolution of human cyber risk, and what organizations (and individuals) can do to safeguard against the weakest link: people.

Key Discussion Points & Insights

1. The MGM Cyberattack: Anatomy of a Digital Heist

• Background & Impact

  • In September 2023, MGM Resorts was hit by a cyber attack that immobilized hotels and casinos in Las Vegas.
    • “[Guests] were locked out of their rooms. Hotel key cards failed. Slot machines went dark.” (Beau Friedlander, 00:27)
  • MGM Resorts eventually lost an estimated $100 million, mostly due to operational downtime.
    • “What this incident exposed wasn't just how a breach can happen, but how fragile even highly controlled environments can be when identity and access systems fail, as they will.” (Beau, 06:04)

• Not Just MGM:

  • Caesars Entertainment suffered a similar attack days later but chose to quietly pay a $15 million ransom to the hackers, leading to less visible disruption. (13:14–13:21)

2. Human Risk: The “Weakest Link” in Cybersecurity

• The Human Factor

  • Between “60% and 90% of breaches start through the human element.” (Charlotte Jupp, 02:46)
  • Most breaches are not high-tech: a well-timed social engineering call to a help desk can be all it takes.

• Swiss Cheese Model of Defense

  • Security isn't a single barrier but multiple imperfect layers: “One slice of Swiss cheese, you can see right through… keep stacking those slices... you will eventually have something you can't see through.” (Beau, 03:22)

• Attack Vector: Social Engineering

  • Attackers use public info (often via LinkedIn or social media) to select targets not at the top, but with privileged access.
    • “The attackers didn’t start…by going after [the] MGM CEO…They went after something far more accessible.” (Beau, 06:46)
    • “Anyone could be a target because you can start knowing that this person is connected to this person…” (Charlotte, 07:03)

• SIM Swapping & Phishing

  • Chris Tarbell describes how attackers use SIM swaps: “You try to duplicate someone’s phone…[by] social engineering a person working at a cell phone store…” (Chris, 07:38)
  • Attackers use information scraped from public records to trick helpdesk staff into credential resets.

3. Why Traditional Security Awareness Isn’t Enough

• Evolving Threats

  • “We’ve been doing security awareness training over 20 years, but people factor is still the main way in.” (Charlotte, 09:12)
  • AI makes social engineering much more convincing and scalable.

• Workplace Pressures

  • Employees might circumvent security measures to be more efficient: “You might look for ways to go around it.” (Charlotte, 09:49)
  • Cybersecurity must balance safety with productivity.

4. How Attacks Unfold: From Access to Escalation

• Lateral Movement

  • Once attackers gain initial access, they use compromised credentials to move through the network, escalate privileges, and lock down systems with ransomware.
    • “The breach at MGM didn’t hinge on a single catastrophic failure. It happened as a result of a systemic failure.” (Beau, 10:33)

• The “Help Desk” Weak Point

  • “The initial access came from a phone call that looked, from the help desk perspective, like a routine support request.” (Beau, 11:19)

5. Pay or Don’t Pay? Companies Between a Rock and a Hard Place

• Contrasting Responses

  • Caesars paid the ransom; MGM didn’t. Both suffered.
    • “Does that make it right? I don’t know. We just gave a lot of incentive to the criminals. MGM refused to pay. Does that make them right? They lost $100 million.” (Beau, 13:21)

• No Easy Answer

  • “By the time a company is choosing between those two options, the damage is already done…the damage was already done before anything happened.” (Beau, 13:41)
  • Cyber risk is now an inescapable, persistent condition.

6. The Role and Limits of Security Leadership

• Chief Information Security Officers (CISOs)

  • Charlotte explains their role: “You do not have the time, the money and staff to be able to remediate every risk. So it's helping you understand what are your most business critical risks that you do want to do something about…” (Charlotte, 15:22)

• Dashboards & Risk Identification

  • Security dashboards help visualize and prioritize risk, but must balance actionable insight with information overload. (16:09)

7. Surveillance vs. Empowerment: Culture, Policy, and Human Error

• Monitoring and Privacy

  • “How do you measure human cyber risk without engaging in surveillance and crossing that line?” (Beau, 17:46)
  • Charlotte promotes education and two-way dialogue: “If you give people the opportunity to feed into that policy, I think it builds better culture overall, where you’re all in it together…” (Charlotte, 19:58)

• Adaptable and Responsive Security Measures

  • Companies can nudge or alert users in real time if risky behavior (like inputting sensitive company data into an unauthorized AI tool) is detected. (Charlotte, 21:36)

• Pattern Recognition

  • Indicators like repeated phishing failures, lack of training engagement, or the use of unapproved tools can highlight individuals or teams at greater risk. (Charlotte, 25:35)

8. The Aftermath: Consequences Beyond the Attack

• Regulatory scrutiny, lawsuits, disclosure requirements, and massive new investments in security follow major breaches.
  • “Both incidents had a consequence, [SEC] disclosures became mandatory…FTC wanted information about data security practices…” (Beau, 27:49)
• Insurance never fully covers the cost.

9. What Can Individuals and Organizations Do?

• Minimizing Your Public Data

  • “If you go and look for me online…you’re not going to find out very much…It’s part of my own cybersecurity protocol to keep myself safe so that I’m harder to target.” (Beau, 30:54)

• Be Wary of Oversharing

  • “Most people will have their professional profiles on LinkedIn, their last however many jobs…by being able to understand then you offer up that information, a threat actor can start to see what type of data you might have access to.” (Charlotte, 32:28)

• AI Enables More Sophisticated Exploitation

  • “AI pretexting…take all that research, put it in an LLM…ask the LLM, what’s the best way to get so-and-so at such-and-such company to tell me this.” (Beau, 34:04)

• The Real Risk

  • “If our security systems only work when we all behave perfectly, is that really security?” (Beau, 34:56)

Notable Quotes & Memorable Moments

• "Between 60% and 90% of breaches start through the human element."
  – Charlotte Jupp (02:46)

• "If this exploit worked at MGM, it works anywhere."
  – Beau Friedlander (10:32)

• "Cyber risk is now an inescapable, persistent condition."
  – Paraphrase of Beau Friedlander’s analysis (13:41)

• "If you give people the opportunity to feed into that policy, I think it builds better culture overall, where you're all in it together..."
  – Charlotte Jupp (19:58)

• “If our security systems only work when we all behave perfectly, is that really security?”
  – Beau Friedlander (34:56)

Important Timestamps

• 00:01–04:13: MGM attack introduction, operational impact, and nature of casino security
• 06:36–07:21: How attackers target “reachable” employees, using public data
• 07:38–08:31: Chris Tarbell on SIM swapping and social pressure in attacks
• 09:12: Why human risk beats awareness training
• 10:33: Lateral movement after initial breach
• 11:19: The role of help desks and password resets
• 13:14–13:21: Caesars pays ransom, contrasting outcomes
• 15:22: CISO’s role and prioritization of risk
• 17:46–19:58: Balancing monitoring with supportive, transparent policy
• 21:36: Adaptive nudges and in-the-moment education
• 25:35: Spotting risk patterns in the workforce
• 27:49: Consequences and aftermath for MGM & Caesars
• 32:17–34:04: Personal privacy, data exposure, and how AI enables attack sophistication
• 34:56: The core question about the limits of human reliability in security

Episode Takeaways

• Human error remains the primary avenue for breaches—technology alone cannot protect organizations.
• Attackers start with publicly available information; oversharing on platforms like LinkedIn increases risk.
• Social engineering, especially when enhanced by AI, is alarmingly effective, even in tightly controlled environments.
• Surveillance isn’t the answer; empowering, educating, and engaging employees builds real security culture.
• Recovery from attacks is costly, complex, and often incomplete. True resilience requires both technical investment and human-centered strategies.

Final Thought

As Beau sums up:
“If our security systems only work when we all behave perfectly, is that really security?” (Beau Friedlander, 34:56)
The episode urges both organizations and individuals to rethink how they manage—and minimize—their digital footprints, emphasizing education, proactive policies, and constant vigilance in an ever-evolving landscape of threats.