Posted on February 20, 2020 at 4:45 PM
Hackers Exposed Personal Details of 10.6m MGM Hotel Guests
A recent report has revealed that hackers recently posted the personal details of more than 10.6 million personal guests of MGM resorts on an online hacking forum.
Some of the guests include Twitter CEO Jack Dorsey as well as Justin Bieber. However, MGM said no password data or financial data were exposed.
Hackers targeted high profile figures
The exposed details include emails, phone numbers, home addresses, and full names of the guests, as reported by ZDNet yesterday. Apart from high profile guests like Bieber and Dorsey, the hackers also targeted FBI agents, reporters, and tourists.
The authenticity of the information and data was verified with Under the Breach, a new data security outfit that would be launched soon.
MGM runs luxury hotels and resorts in the US and other locations in the world, including China and Japan. But the most prominent is the Las Vegas resort, which attracts thousands of guests that come for UFC fights, boxing matches, and casino tournaments.
According to a statement by an MGM spokesperson, the data was breached after a security incident that happened last year. The spokesperson said MGM found out that its cloud server containing certain information about former guests were accessed.
MGM had been exposed in the past
This is not the first time MGM Resort is facing challenges relating to security and data breach. The most recent data breach before this one occurred when Chinese state-sponsored hackers stole the information of about 500 million guests in the hotel. This hacking incident happened in 2017.
A ZDNet reporter, Catalin Cimpanu, who is reporting the present hacking incident, said on his Twitter page that the published data was hacked in July last year. However, customers were not notified about the breach until one month later.
He said when the MGM security team was looking into the incident, the team discovered that the leak was a result of a misconfigured cloud server. MGM Resort was not initially open to comments and responses about the leak, as the spokesperson declined to comment on the situation.
What was leaked?
Based on the report, the data dumped on the hacking forum contains personal details of 10,683,188 previous guests of the hotel. From the confirmation of the data, it contains information from government officials, CEOs attending business meetings, reporters, as well as business travelers.
After the researchers verified the data, they quickly contacted MGM Resorts. Shortly after contacting the Resort, the researchers were in a meeting with the company’s security team. The team also verified the data and linked it with a security incident that happened last year.
MGM Resort stated that it had employed two cybersecurity forensic companies to look into the breach and investigate the cause of security exposure that occurred last year.
In a statement regarding the data leak, the Resort stated that it takes full responsibility for the protection of guests’ data. The Resort further stated that it had enhanced and strengthened its network security to prevent such occurrences in the future.
The danger of Spear-phishing and SIM swapping
Although the security breach that took place in the MGM Resort server was not known to the general public, the recent data dump on a hacking forum has brought it to the attention of many hackers.
When the researchers discovered the leak and told the reporter, some of the sensitive information about the leak was highlighted. It means that some of the former guests whose personal information was exposed may be subjected to potential phishing emails. They also face the risk of being SIM swapped.
Nature of published data
MGM Resorts said the data the hackers published on the hacking forum was an old data. The Resort said from some of the guests it contacted today about the leak claimed they did not stay at the hotel beyond 2017.
Some of the phone numbers are already disconnected, which showed the data is pretty outdated. However, many of the numbers are still valid and used by their owners because the right person answered when they called.
The MGM Resort security team said the Resort is doing everything possible to strengthen security and secure its data from unauthorized access in the future.
