MGM is in the headlines again and it’s not good...
Information on hotel guests was just posted for sale on a dark web cybercrime marketplace, per a recent article from ZDNet. At more than 142 million entries, the marketplace is offering more than 14 times the amount of MGM Resorts guest data made available by cybercriminals in February of this year.
What’s not clear is whether the newly made available data is from a 2019 MGM breach or from a more recent database breach of threat intelligence platform Data Viper. Per the online advertisement selling the stolen data, “This data is from the July 2020 breach of DataViper.io.” However, according to ZDNet, a spokesman for Data Viper says they didn’t have a complete copy of MGM’s database, implying that the MGM guest details most recently distributed weren't derived from the Data Viper breach.
Nonetheless, once data is obtained for illicit purposes, there’s no telling how long it will circulate for or how much damage will be done. MGM Resorts now has this blight on their record while their guests are left to manage their own data security risks. Leaked data including names and email addresses can provide additional opportunities for spear phishing. Adding a phone number and date of birth to that data set increases the risk of SIM swapping.
No organization wants to find itself at the center of a security breach, much less have the negative effects of that breach to keep turning up in the news, but unfortunately that’s where MGM is. According to the following timeline, it’s been at least a year since the first breach occurred and customers’ data is still in play.
Data Breach and Distribution Timeline
Summer of 2019: Hacker gains access to one of MGM Resorts’ cloud servers and steals the names, birthdates, home addresses, phone numbers and email addresses of the hotel's past guests, which not only includes ordinary citizens, but also reporters, celebrities, CEOs, and government officials.
MGM alerts affected customers but doesn’t publicize the breach.
February 2020: The breach catches the public’s attention as data on more than 10.6 million MGM guests become available as a free download on a hacking forum. A MGM Resorts International customer sues the company.
July 2020: More than 142 million MGM Resorts guest details are posted for sale in a dark web cybercrime marketplace for just under $3,000 USD. It appears at least one entity already made a purchase.
Per ZDNet, there is evidence that even more data and more customers could have been affected by the breach. Online documentation suggests that data on more than 200 million MGM hotel guests has been available in private Russian-speaking hacking circles since as early as last July.
Protect your public cloud databases from data breaches with SecureCloudDB