MGM Resorts Admits Data Breach Of 10.6 Million Guests

American casino operator MGM Resorts International has admitted on Thursday that it suffered a data breach last year that exposed the data belonging to millions of customers.

The admission after ZDnet earlier reported that the breach of a cloud server had compromised the details of over 10.6 million hotel guests.

These personal personal details were then reportedly published on a hacking forum this week, and the data included information on celebrities (i.e. singer Justin Bieber), chief executives of technology companies (i.e. Twitter CEO Jack Dorsey), as well as reporters and government officials.

MGM breach

Following this revelation, MGM Resorts then decided to issue a public statement on the matter.

It said that it had followed state laws about disclosing the incident, but most US states do not require companies to tell customers if their data, which is already public, has been exposed during a hack.

“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts”, a company spokesman said in an emailed statement to Reuters.

The statement said that no financial, payment card or password data was involved in the incident and the guests affected were notified.

It also seems that the breach occurred with data up to 2017 only.

So what was exposed? Well it seems that most of the information leaked was the names of guests, email addresses and their phone numbers.

MGM Resorts has said it had retained two cybersecurity forensic firms to assist in an internal probe.

The casino owner has also upgraded the security of its network to avoid such breaches in the future.

Spear-phishing

Security experts warned that while on the surface the breach seemed only to reveal PII (personally identifiable information), there is a risk of spear phishing attempts.

“This particular incident reportedly contains only the victims’ PII, so it is not all that perilous or likely to be used for blackmailing,” said Ekaterina Khrustaleva, COO of web security company ImmuniWeb.

“We should, however, not underestimate the overall impact of the breach,” said Khrustaleva. “It provides a wide spectrum of efficient attack scenarios for cybercriminals, spanning from spear phishing to BEC and Whaling.”

“Victims should be cautious about any incoming messages, calls or emails,” warned Khrustaleva. “Those whose passwords or secret answers can be inferred from the compromised data need to urgently consider changing their passwords and secret questions if they have not yet done so.”

“This data breach is comparatively insignificant in light of the exposed details,” Khrustaleva concluded. “Almost every day, cybercriminals on various Dark Web marketplaces offer stolen data coming from hotels and resorts, and not that infrequently the data contains extremely sensitive information about guests’ preferences and stay.”

Cloud security

Another expert pointed to the issue of organisations failing to properly secure information held in the cloud.

“It seems that even party town, Vegas, can’t escape from the cyber risk posed by cloud infrastructure,” said Stuart Reed, VP of cyber at Nominet. “As MGM admits to identifying unauthorised access to a cloud server and potentially putting the personal information of millions of customers at risk, it raises the issue of whether organisations are asking the right questions to deliver a secure cloud environment.”

“Inevitably the move towards the cloud has caused some security concerns as control and visibility is reduced, the network perimeter widens, and the opportunities for attack increase,” said Reed. “While it’s absolutely true that responsibility for the security of the cloud needs to be taken seriously, it shouldn’t hold back business transformation or innovation.”

“Instead the focus should be on learning from the experience of others and ensuring the right questions are being asked to provide assurance of security and ensure the organisation is bringing in the correct processes to facilitate a secure cloud environment; taking a close look at SLAs, for example,” Reed concluded.

Another expert also agreed on the need to properly secure cloud server.

“Cloud servers have been a consistent feature in many of the biggest data breach stories we have seen recently,” said Ed Macnair, CEO of Censornet. “In this case, it appears that criminals gained unauthorised access, which allowed them to extract data such as names, addresses, and passport details.”

“It’s a stark reminder of the risk that comes with cloud transformation – in the past this data would have been held on the hotel’s own servers,” said Macnair. “In many ways, moving to the cloud has eroded the traditional perimeters that protected data, so companies need to make sure they have new security practices for the cloud.”

“Now this data has been stolen, and published on a hacking forum, criminals will be looking at how they use it to launch a new spate of attacks,” said Macnair. “It isn’t financial information, so they can’t cash it in right away, but the personal data of high profile individuals has its own value.”

“The most likely form of attack we will see is impersonation attacks,” Macnair warned. “Executives and CEOs who have had their data stolen should be asking if their organisation’s security is capable of defending against impersonation attacks, and must alert their companies to be on the lookout for any communications that may be using their personal details to impersonate them.”

Hotel breaches

It should be remembered that whilst this MGM Resorts breach is big, it is not the biggest breach of hotel guest data.

That dubious honour belongs to the Marriott Hotels chain.

That hack was only discovered in November 2018, but it affected the personal details and payment card data on up to 500 million people dating back to 2014. That attack was linked to Chinese state-sponsored hackers.

In July last year, the British Information Commissioner Office (ICO) announced its decision to fine the American hotel chain more than £99 million in a statement of intent.

The size of the fine for Mariott was because it falls under stricter data protection (GDPR) rules that took effect in May 2018.

Do you know all about security? Try our quiz!