MGM Resorts breach exposes info of 10.6 million hotel guests

The personal details of more than 10.6 million MGM Resorts hotel guests were recently posted on a hacking forum, and ZDNet has confirmed the data's authenticity. ZDNet said the data dump contains the full names, home addresses, phone numbers, emails and dates of birth of 10.6 million guests, including tech CEOs, celebrities, government officials and reporters. 

ZDNet verified the authenticity of the data today, together with a security researcher from Under the Breach, a soon-to-be-launched data breach monitoring service. A spokesperson for MGM Resorts confirmed the incident via email but isn’t confirming an exact number of affected guests..

Last summer, MGM discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts, according to a MGM spokesperson. “We are confident that no financial, payment card or password data was involved in this matter. MGM Resorts promptly notified guests potentially impacted by this incident in accordance with applicable state laws.”

Upon discovering the issue, the company retained two leading cybersecurity forensics firms to assist with its internal investigation, review and remediation of the issue. “At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again,” according to the statement. 

While guests who only stayed at the resort more recently may not have had their information included, it's unclear what time frame was impacted.

Publicly traded MGM Resorts has 29 casinos and hotels in its portfolio. The company is the largest employer in Nevada, with several Las Vegas Strip properties, including the MGM Grand Las Vegas, the Bellagio and Mandalay Bay Resort and Casino. 

Thwarting 'Bad Actors'

Cloud-based servers should be regularly checked for who has read and write permissions and be modified accordingly, as appropriate, said Patrick Martin, senior threat intelligence analyst at dark web monitoring firm Skurio.

“For a bad actor to access or exfiltrate data they need credentials or to take advantage of an ‘open door’ which has been left unlocked,” he said. “BinaryEdge, Shodan and many other tools make it easy to find these open containers. This sort of activity can be thwarted just by regularly checking those correct permissions are in place. However, for those instances when the security has been bypassed, there are mitigating steps organizations can take to monitor for data that’s being breached, discussed, shared or sold: by proactively monitoring for leaks or misuse of the data stored in publicly accessible databases or, in MGM's case, the dark web.”
This incident also highlights the importance of speed when mitigating digital risk; watermarking data with unique synthetic identities can enable organizations to detect these threats immediately and be the first to find out if their data is available online, before someone else does. “Setting up email listeners for these watermark identities can detect a breach before the data is shared online, if the hacker is testing for valid addresses,” Martin said. 

In 2018, Marriott International said the private information of up to 500 million guests may have been accessed as part of a breach of its Starwood Hotels & Resorts Worldwide guest reservation database. The hotel chain said at the time that it discovered that there had been unauthorized access since 2014.