Breach Notification , Incident & Breach Response , Security Operations
Hackers Post Details on MGM Resorts Guests: ReportBreached Cloud Server Contained Data on 10 Million Guests
Hackers have posted on an underground forum the personal information of 10.6 million MGM Resorts guests, ZDNet reports.
The exposed information includes full names, home addresses, phone numbers, emails and dates of birth, according to the report, which claims the authenticity of the data has been verified with the help of a yet-to-be-launched monitoring firm called Under the Breach.
See Also: Global Incident Response: Defenders Fight Back
On Thursday, a MGM Resorts spokesperson confirmed to Information Security Media Group that the company was hit by a data breach in the summer of 2019, when attackers accessed a "cloud server" that contained some details about guests who had visited the company's hotels and resorts.
"We are confident that no financial, payment card or password data was involved in this matter," the spokesperson tells Information Security Media Group. "MGM Resorts promptly notified guests potentially impacted by this incident in accordance with applicable state laws. Upon discovering the issue, the company retained two leading cybersecurity forensics firms to assist with its internal investigation, review and remediation of the issue."
How the breach happened and what specific cloud-based systems were targeted is not known.
The data posted online apparently includes the personal details of some celebrities, government officials, reporters and tech company CEOs, ZDNet reports. Those include pop singer Justin Bieber, Twitter CEO Jack Dorsey, FBI agents and other U.S. government officials, according to the news report.
While best known for its Las Vegas hotel and casino, MGM Resorts owns about 30 hotels and other resort facilities throughout the world. It's not clear, however, what locations were affected by the breach and data leak.
After discovering the breach in the summer of 2019, MGM says that the company promptly notified guests potentially affected by the security incident in accordance with state laws. At least one guest who stayed at an MGM hotel in 2019 posted that notification on an online Las Vegas messaging board, noting that the breach appears to have happened in August.
The MGM breach comes amid a slew of other cloud-based data breaches and data leaks. Earlier this month, for example, a security researcher discovered that an unsecured, cloud-based database belonging Estée Lauder had exposed over 440 million company records, although it's not clear if any information was compromised or stolen (see: Unsecured Estee Lauder Database Exposed 440 Million Records)
Matt Walmsley, a director at the cybersecurity firm Vectra, notes: "As organizations increasingly use the cloud to underpin digital transformation, it is critical that security operations teams have the ability to pervasively detect and respond to attacks and unauthorized access wherever they happen. Attackers don't operate in silos of local mobile, network, data centers or cloud - neither should our security capabilities."
Previous Hotel Attacks
There have been many other hotel chains affected by data breaches. One of the largest of those incidents affected Marriott International.
In November 2018, Marriott discovered a data breach that exposed about 339 million customer records, including payment card details, passport numbers and dates of birth (see: Marriott's Mega-Breach: Many Concerns, But Few Answers)
Earlier this month, U.S. Attorney General Bill Barr attributed the Marriott breach to China after four members of China's People's Liberation Army were indicted for allegedly hacking Equifax in 2017 (see: Learn From How Others Get Breached: Equifax Edition)
Managing Editor Scott Ferguson contributed to this report.