MGM Resorts has confirmed that the company was breached after a database containing the sensitive information of nearly 10 million former guests was shared on a hacking forum
The company believes that the exposure was caused by an unauthorised party accessing one of their cloud services last year. MGM is a global hospitality and entertainment company with resorts in Las Vegas, Atlantic City, Detroit, China and Japan including Bellagio, ARIA, and Mandalay Bay. MGM's statement did not list which properties were affected in the security incident
Businesses operating in the hospitality industry, such as hotels, represent honeypots for cybercriminals. Hotels capture highly sensitive information about their customers such as names, phone numbers, financial information, passport details, email addresses and more. Although this is not the largest security incident involving hotel guest information - in 2017, Marriott Hotels' breach exposed 500 million customers’ personal details - each data breach represents a chance for threat actors to execute new crimes and fraudulent activities.
This is yet another example of a large corporation failing to demonstrate a resilient cybersecurity strategy in order to protect their customers' data.
What was exposed?
According to the MGM representatives, the bulk of the information was 'phonebook information' including full names, phone numbers, physical addresses, birthdates and email addresses. However, approximately 1,300 customers had more sensitive information compromised, including passport numbers. MGM claims that no financial data was revealed in this case.
The data was obtained as a result of a security breach that took place last summer in July 2019, however it was only this week that it was posted on the hacking forum, gaining attention from both hackers and media outlets.
Who does this affect?
The compromised information belongs to old hotel guests, as it seems that none of the contacted individuals stayed at the hotel past 2017. Among the exposed files there are also contact details for celebrities like Justin Bieber and Twitter founder Jack Dorsey, tech CEOs, reporters, government officials, and employees at well-known tech organisations. While it is reported that the dataset contains approximately 10 million records, the resort chain could not provide an exact number of affected customers because there is a chance that the exposed information was duplicated. The company stated that all the customers involved were notified in accordance with applicable state laws.
Fraudsters can use the information, even the less sensitive data, to develop highly targeted phishing scams. The risk of spear and whaling phishing techniques are even greater considering the fact that this particular security incident revealed details of many high-profile users, working for big tech firms and governments all over the world. Learn how to spot phishing campaigns here.
Curious to see if your email was compromised on this occasion? Check your email address using our free Data Breach Checker. For ongoing monitoring and alerts if we discovered you have been breached, sign up to one of our plans and get protected online now.