The Identity Attack Surface: How Scattered Spider Weaponizes PII

How PII-Powered APTs Exploit the Identity Attack Surface

In September 2023, a phone call to an IT help desk provided the initial access that led to one of the most disruptive cyber incidents in the history of MGM Resorts.

The caller didn’t exploit a software vulnerability. They didn’t deploy sophisticated malware.

They simply sounded believable.

What followed disrupted operations across MGM properties for days. Hotel systems failed, digital room keys stopped working, and casino floors were forced offline. The incident ultimately cost the company an estimated $100 million in losses and recovery efforts.

Most cyberattacks don’t begin with sophisticated malware or a novel exploit. They begin with context.

Before a phishing email is sent or a help desk is called, an attacker often already knows a surprising amount about their target. Names. Phone numbers. Job roles. Sometimes even details about how an organization verifies employee identities.

Attackers have a much easier time executing attacks when aided by real personal information about the people whose access they are stealing. A phone call sounds more convincing. A phishing message looks more legitimate. A password reset request feels routine.

This is the playbook used by groups like Scattered Spider, a cybercriminal collective that has repeatedly breached major organizations using social engineering and identity manipulation rather than traditional technical exploits.

Instead of searching for vulnerabilities in software, these attackers focus on something far harder to secure: human identity and trust. And the commodity that makes these attacks possible is PII (personally identifiable information).

The result is a new kind of adversary. One that relies less on malware and more on the strategic use of personal information to bypass security controls. Groups like Scattered Spider illustrate the rise of what one might call a PII-enabled advanced persistent threat. This is not just a shift in tactics. It is a shift in the attack surface itself.

The Vishing Lifecycle: How Do Help Desk Attacks Actually Work?

These attacks follow a predictable lifecycle.

Long before a help desk is ever contacted, the attacker has already done their homework.

In many identity-driven attacks, the impersonation attempt is the last move in a much longer process. Attackers begin by gathering details about their target: names, job roles, and sometimes even internal relationships between employees.

Much of that information can be found in places designed to be public. Professional networking sites, corporate biographies, conference presentations, and social media profiles all contribute. Attackers rarely rely on a single source. Information gathered from social media profiles, company websites, and public records can be combined with aggregated data sources to create a much more detailed profile of a target.

With enough details assembled, an attacker doesn’t need to guess their way through a help desk verification process. They can:

• Answer identity verification questions confidently
• Reference internal roles or projects
• Reference personal relationships
• Convincingly appears to belong

Information that appears harmless in isolation becomes powerful when assembled into a complete profile.

And while the immediate goal is system access, the implications of this exposure can be extremely costly.

One Digital Footprint, Two Security Perimeters

The same personal information that enables social engineering attacks can also create real-world risk.

From a cybersecurity perspective, exposed data helps attackers impersonate employees, bypass identity verification, and gain access to internal systems. The same information can also be used for doxxing, harassment, or physical targeting.

These are not separate problems. They stem from the same underlying exposed identity attack surface.

That means organizations are not just managing cyber risk. They are managing risk to their people.

Executives are often the most visible targets, but the risk extends further. Employees in finance, IT, HR, Corporate Comms and support roles may provide indirect paths to sensitive systems. Many also maintain a public footprint that attackers can exploit.

Security leaders should evaluate identity attack surfaces and risk across both domains. This means understanding not just who has access to sensitive systems or data, but who is exposed, and how that exposure could be leveraged against your organization.

In modern attacks, there is no clear boundary between digital and physical risk. There is only a shared dependence on personal data.

To understand why this information is so readily available, it’s important to look at where it comes from.

The Data Broker Ecosystem and The PII Supply Chain Behind Modern Attacks

Much of the personal information attackers rely on doesn’t come from a breach at all.

Instead, it often comes from a sprawling ecosystem of companies known as data brokers. These firms collect personal information from a wide range of sources, including public records, online activity, and commercial transactions. They compile this data into detailed profiles about individuals, often without consumers’ direct awareness.

These platforms, combined with social media and public info, effectively form a continuous PII supply chain. They aggregate, package, and distribute the exact information attackers rely on to make impersonation attempts believable.

The profiles can include home addresses, phone numbers, employment history, family members, property records, and other personal details. Data brokers typically sell this information to advertisers, marketers, and other commercial buyers.

In many cases, little verification is required to access these datasets.

For marketers, these profiles power targeted advertising. For attackers planning social engineering campaigns, they provide something equally valuable: context.

With enough personal information in hand, an attacker can convincingly impersonate an employee during a phone call to a help desk.

Information that appears harmless in isolation becomes powerful when assembled into a complete profile.

This creates a structural advantage for attackers. One that traditional security controls are not designed to address.

Beyond Product Patching: Hardening the Human Workflow

Most security investments focus on hardening systems. Network controls, endpoint security, multi-factor authentication, and employee training all play a role. 

These controls are essential. But they are not designed to solve this problem.

Attacks like the MGM breach do not succeed because systems are vulnerable. They succeed because people are. In practice, that burden often falls on the help desk.

Support teams are expected to verify identities, process account recovery requests, and keep employees productive. But they are not trained investigators. Nor should they be.

When attackers show up with enough accurate personal and organizational information, they do not look like attackers. They look like employees who need help.

At that point, the system is working as designed. The only remaining line of defense is a human being asked to make a judgment call.

You can try to train this away. But doing so requires time, constant reinforcement, and a level of scrutiny that slows down operations. It also places additional pressure on already stretched teams.

There is a more practical approach.

Instead of expecting employees to detect increasingly sophisticated impersonation attempts, reduce the amount of information attackers can use to make those attempts believable in the first place.

Because when attackers do not have accurate data, they make mistakes. They get caught in inconsistencies. Or more often, they move on to an easier target.

Addressing this shift requires a different approach.

How to Reduce Identity-Based Risk: 3 Strategic Actions

Incidents like the MGM breach highlight a shift in how organizations need to think about risk. Three priorities stand out:

1. Reduce the Identity Attack Surface

The most effective way to disrupt these attacks is to limit the information attackers can use to build convincing profiles.

That starts with visibility.

Start by auditing what personal data about your employees is exposed across data brokers, public records, and online sources. From there, prioritize removal efforts based on access and risk. This isn’t just an executive issue—it should be addressed across the organization.

You don’t need to eliminate exposure completely. You just need to make your employees harder to research than the next target.

2. Re-evaluate Identity Recovery and Support Workflows

Many organizations unintentionally create the conditions that make social engineering attacks more likely.

Help desks are designed for speed. Their job is to resolve issues quickly and keep employees moving. They should not be asked to become a security layer that must interrogate every request.

But when identity verification depends on easily obtainable personal information, those systems place employees in an impossible position. Faced with a request that looks legitimate, feels urgent, and fits normal workflows, the natural response is to act, not push back.

This isn’t a failure of awareness. It’s a product of design. The conditions surrounding the request—urgency, expectations, and workflow design—often make the insecure action the most natural one to take.

Security leaders should examine where workflows rely on human judgment under pressure and where business incentives like speed and responsiveness conflict with secure behavior.

The goal isn’t to train employees to be perfect. It’s to design systems that don’t depend on perfect judgment in the first place.

In practice, this can include strengthening identity assurance in recovery workflows, such as requiring higher assurance levels for credential resets or limiting what types of requests can be completed through support channels.

3. Map Identity Risk Across the Organization

Identity-based attacks don’t affect all employees equally.

High-privilege roles present high-impact targets, but risk extends well beyond the executive team. IT staff, finance personnel, and support roles often provide indirect paths to sensitive systems.

Security leaders should map identity risk across the organization—looking at both digital exposure and access to systems, data, and processes.

This can start with identifying which roles have both high system access and high public exposure, and prioritizing those individuals for additional controls and data reduction efforts.

The goal is to understand not just who is most valuable to an attacker, but who is easiest to impersonate (and therefore most likely to be targeted.)

Sources