Data of 10.6 million MGM hotel visitors, including high-profile individuals, posted on the underground hacking forum
In July 2019, MGM Resorts hotel and casino chain was affected by a cybersecurity incident that resulted in its guests’ personal information disclosure. In a combined investigation by tech site ZDNet[1] and a security researcher from Under the Breach monitoring service, it was revealed this week that personal data 10.6 million individuals, including celebrities, CEOs, government officials, and other important guests, was posted in a batch file on a hacking forum.
While MGM hotel data breach did not affect sensitive customer details like credit card or payment information, the compromised details include guests’ names, email addresses, phone numbers, home addresses, as well as dates of birth. Despite that, some visitors claimed that they already been affected by threat actors’ scam attempts shortly after the incident occurred – in August 2019. MGM Resorts claimed that it informed everybody involved in the data breach following the state laws soon after.
ZDNet found that, among the affected, were such huge names like Twitter’s CEO Jack Dorsey and the pop star Justin Bieber. Department of Homeland Security and Transportation Security Administration members were also seemed to be on the list.
Data breach attributed to unauthorized access to a cloud server
While the data breach occurred last year and affected a total of 10,683,188 individuals, MGM did not announce the breach publicly. Without an investigation launched by Under the Breach researcher and ZDNet, this information might not have reached the public.
Upon discovering the hacking forum post, researchers contacted several victims in order to confirm the legitimacy of the data. As it turned out, the information that was freely accessible to everybody indeed matched guests’ personal details and the timeline. While some of the data from there breach was attributed to being outdated (only guests who stayed at the hotel prior to 2017 were affected), many phone numbers were still operational.
Under the Breach MGM Resorts right after they were able to confirm that the data was accurate, and the spokesperson for the hotel giant contacted them within an hour and stated the following:
Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter.
The spokesperson also said that there were around 1,300 individuals who also had their sensitive information exposed – it included passports, driver’s licenses, ID cards, etc.[2]
MGM also said that, upon the discovery of the breach, it immediately began an investigation – hired a forensic experts’ team and contacted the appropriate law authorities, as well as the affected guests.
GnosticPlayers hacking group is believed to be responsible
According to ZDNet, the information was first posted on a hacking forum as early as July last year, right after the data breach occurred (although was not spotted by security firms or infosec community at the time). Head of threat research firm KELA, Irina Nestorevsky, believes that the threat actor who made a post in July is associated, or is a member, of a well known hacking group GnosticPlayers, which was responsible for stealing information of millions of users in multiple security incidents throughout 2019 – Zynga, Ge.tt, and Mixcould[3] are among a few of the affected companies.
While the MGM data breach was unnoticed until now, several users already reported on VegasBoard community forum that they were affected by targeted phishing attacks already. One of the users wrote in August last year:[4]
<…>Then 20 August I got a call that informed me I would be charged $399 in 48 hours for a web security service I don’t use unless I called a specific number. I ignored that call. Nothing happened but I changed my a number of passwords anyway. No charges were made.
MGM states that the breached information was mere “phone book data.” In the meantime, the stolen information may be used against celebrities and other individuals to conduct targeted phishing attacks.
MGM is not the first hotel chain that was affected by a massive data breach. In 2018, Marriott hotel was hacked by Chinese hackers, exposing sensitive customer details like credit card numbers and passport information.[5] Luckily, MGM Resort breach pales in severity in comparison to the Marriott incident.