Hotel and casino operator, MGM Resorts International, admitted to experiencing a data breach last summer. It has been reported that the personal information of 10.6 million guests was compromised. The hotel giant indicated that the data breach did not involve any financial, password, or credit card information. Furthermore, every guest that was affected has been notified of the incident.
What we cover
Details of the MGM Data Breach
“Last summer, we uncovered an incident of unauthorized access to our cloud server. This only had a limited amount of information for a limited number of previous MGM Resorts guests,” a company spokesman reported on February 20. “The information that did get breached included the names of our guests who stayed at our resorts as well as phone numbers”.
The exact number of MGM guests affected by the data breach was not released by the hotel and casino operator. Technology website ZDNet initially reported the data breach, as well as the fact that the personal details of more than 10.6 million MGM guests had been published on a hacking forum recently.
ZDNet contacted a few of the MGM guests listed on the data breach, and confirmed they had stayed at the MGM, along with the date of their stay, and verified the accuracy of the data included in the hack.
Some of the guest information leaked on the hacking forum included not only ordinary tourists, but also celebrities, journalists, big tech CEOs, and government officials. The information obtained through the hack included such information as full names, phone numbers, emails, home addresses, and dates of birth.
Among the high-profile people included in the data breach were Twitter CEO Jack Dorsey, pop singer Justin Bieber, as well as TSA and DHS officials. The hack may have been targeted at tech conference attendees, since many of the journalists, tech executives, and government officials had attended tech conferences in Las Vegas.
The leaked data provided contact details for quite a few high-profile big tech and government officials from all over the world. Victims of the data breach are at an increased risk of receiving spear-phishing emails, or of being SIM swapped. A SIM swap involves a criminal contacting the victim’s mobile provider, and convincing the cellphone company to transfer the victim’s phone number to the criminal’s SIM card. At that point, the criminal can intercept phone calls and voice messages intended for the victim.
ZDNet Reaches Out to MGM
Once ZDNet had verified the data breach, they immediately reached out to officials at MGM resorts. In less than an hour, a conference call ensued, during which the MGM team verified the data and tracked it back to a previous security incident involving their cloud server. MGM Resorts and ZDNet confirmed that none of the hotel guests had stayed at the hotel past 2017.
MGM Resorts has hired cybersecurity experts to perform an internal investigation into the data breach. Furthermore, the hotel chain has upgraded its digital security to ensure a similar data breach does not happen again.
“MGM Resorts takes its responsibility to protect guest data very seriously. We have enhanced and strengthened the security of our network in order to prevent this from happening again,” a company spokesperson said.
Irina Nesterovsky, the Head of Research at threat intel firm KELA, stated that the data of MGM’s hotel guests had been shared in a few closed-circle hacking forums since at least last July. Furthermore, the hacker responsible for releasing the information is believed to be associated with GnosticPlayers, a hacking collective that has hacked and exposed over one billion user records in 2019 alone.
The severity and size of the recent MGM security breach are small in comparison to the huge Marriott hotels data breach of 2017.
You may also want to read:
MGM Resorts is the Official Gaming Partner of the Las Vegas Raiders