About the Incident
MGM Resorts International is a giant US casino and hotel chain, with resorts in Las Vegas, Atlantic City and Detroit. It also owns properties in China and Japan and is in the process of building a new resort in Dubai. The publishing of MGM guest records on a hacking forum this week was first reported by ZDNet. When questioned by ZDNet, MGM reportedly acknowledged that it had been a victim of a data breach last year. “Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” MGM told ZDNet. MGM also confirmed that personal information belonging to former guests, now on the hacker forum, stems from this data breach.
MGM’s Response to the Incident
MGM stated that they had promptly notified all affected guests in compliance with applicable state laws. However, this does not mean that all affected guests were notified. They reported the breach to residents of US states that require reporting of “phonebook data” breaches. This involved some 52,000 guests. They also notified a further 1,300 former guests who had more sensitive information breached, such as drivers license information and passport numbers. Furthermore, when MGM discovered the breach mid-2019, a spokesperson said the company “retained two leading cybersecurity forensics firms to assist with its internal investigation, review and remediation of the issue.” The spokesperson also went on to say: “At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again.”
What Personal Information Was Published?
The breached MGM guest records included what MGM called “phonebook data”, which they stated is generally publicly available anyway. The leaked personal information included home addresses, phone numbers, email addresses and dates of birth. Furthermore, an MGM spokesperson told ZDNet “We are confident that no financial, payment card or password data was involved in this matter.” The records published on the hacker forum do not only belong to regular tourists. They also belong to celebrities, CEOs, executives and professionals from the world’s largest technology companies, reporters and government officials.
Who Published the MGM Records on the Hacker Forum?
ZDNet reports that they discussed the MGM breach incident with Head of Research at the threat intelligence firm KELA, Irina Nesterovsky. According to Nesterovsky, MGM guests’ data has been shared in closed-circle hacking forums since at least July last year. The hacker who published the information on a public hacker forum this week, is believed to be associated with or be a member of GnosticPlayers. This hacker group allegedly published more than one billion user records in 2019 alone.
Risks Faced by Victims
MGM’s data breach is not the largest leak of hotel guest information. In 2018, Marriott Hotels were involved in a data breach that exposed information of 500 million guests. The Marriott attack was linked to Chinese state-sponsored hackers who have been targeting hotel chains and travel companies throughout the US. These companies are being targeted for the vast amount of data they store on American executives and government officials with security clearances. With the MGM data breach, although it occurred last year, it is only this week that MGM records have been made publicly available on a hacker forum. It is therefore only now that victims are in potential danger of scams such as sim swapping and phishing scams.