Hackers leak personal data of 10.6 million MGM Resorts guests
The personal details of 10.6 million people have been posted in a hacking forum after MGM Resorts hotels suffered a data breach. The data includes dates of birth, email addresses, names, phone numbers and physical addresses, and celebrities such as Justin Bieber and Twitter's Jack Dorsey are among those affected.
While the data has only just been leaked, it stems from a security breach that took place last year. Data dating back to 2017 was found accessible on an unsecured cloud server.
- Over 27 million affected by healthcare data breaches last year
- 1 billion records exposed in 2019 as data breaches hit a new high
- Cyber theft experts say millions of credit cards exposed in breach being sold online
The data is said to have initially leaked back in July 2019, and those affected were notified the following month. But the data breach has been brought to public attention again after ZDNet, working in conjunction with a security researcher from Under the Breach, shared news of the data being shared on a hacking forum.
The data that was shared online has been confirmed as genuine and in all 10,683,188 former hotel guests are affected by the leak. In addition to Bieber and Dorsey, the personal details of Microsoft employees, FBI workers, reporters and government officials were included.
In a statement given to ZDNet, MGM said:
Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter.
At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again.
The advice from the tech community has been for MGM customers to be on their guard. Ed Macnair, CEO of Censornet: "Now this data has been stolen, and published on a hacking forum, criminals will be looking at how they use it to launch a new spate of attacks. It isn't financial information, so they can't cash it in right away, but the personal data of high-profile individuals has its own value. The most likely form of attack we will see is impersonation attacks. Executives and CEOs who have had their data stolen should be asking if their organisation's security is capable of defending against impersonation attacks, and must alert their companies to be on the lookout for any communications that may be using their personal details to impersonate them."
Patrick Martin, Senior Threat Intelligence Analyst at dark web monitoring firm Skurio said that the incident "highlights the importance of speed when mitigating digital risk; watermarking data with unique synthetic identities can enable organisations to detect these threats immediately and be the first to find out if their data is available online, before someone else does".
Nominet's VP of Cyber, Stuart Reed, comments:
It seems that even party town, Vegas, can't escape from the cyber risk posed by cloud infrastructure. As MGM admits to identifying unauthorized access to a cloud server and potentially putting the personal information of millions of customers at risk, it raises the issue of whether organisations are asking the right questions to deliver a secure cloud environment. Inevitably the move towards the cloud has caused some security concerns as control and visibility is reduced, the network perimeter widens, and the opportunities for attack increase.