The 2019 MGM Resorts data breach is much bigger than initially anticipated
The news about the MGM Resorts data breach broke in February 2020.[1] It was reported that personal information of approximately 10.6 million hotel guests (among which were CEOs, celebrities, and politicians) was posted on a hacking forum. At the tame, the casino and hotel chain did not disclose any details about the number of customers that were affected by the incident and claimed that only 1,300 people had their IDs, driver licenses, and other sensitive data exposed.
The reports from February seem to be incorrect, however, as reporters from ZDNet found a listing on a hacking forum that paints a completely different picture when it comes to the number of the impacted MGM Grand Hotels guests.[2] The post, which was published on a hacking forum by somebody who goes by the name NightLion, claims that the data of a total of 142,479,937 hotel visitors were breached:
MGM Resorts was hit by cybercriminals, first reported by ZDNet, who lifted personal and contact details for 10.6 million hotel guests, including celebrities, employees and government officials. However what was not reported was that MGM Grand Hotels was also breached, consisting of 142 million entries.
Currently, anyone who is willing to gain access to the information of millions of people can buy it easily – the batch is being sold for as low as $2,939.76.
The data was exposed after hackers managed to breach data leak monitoring company DataViper
DataViper is a US cybersecurity service that is run by Vinny Troia (who also runs Night Lion Security), provides access to more than 15 billion records that have been breached by hackers before.[3] These types of services are relatively common and provide access by government officials or companies that are willing to know when and which credentials have been breached. This helps to reduce the impact on the business.
In an unlikely event, DataViper was hacked itself recently, exposing more than 8,200 databases to malicious actors. The breach itself was labeled as an act of revenge,[4], and the attacker claimed that he spent over three months inside the DataViper servers, exfoliating customer data of such companies like Ubisoft, Lion Airlines, eHarmony, Facebook, and many more.[5]
The hacker who posted a batch file of 142 million customers claims that the information comes from one of these compromised databases. However, Cybersecurity expert Vinny Troia insisted that the company never had access to MGM Grand Hotels databases and that the attacker is simply bluffing – trying to ruin his reputation.
MGM saying it was aware of the scope of the breach
The MGM data breach occurred in July 2019, when unknown attackers managed to access a cloud server that contained information on hotel visitors. While the data was deemed to be outdated and only contained “phone book” information (such as names, postal addresses, phones, and emails), many of the phone numbers exposed in the breach were still active. Besides, some of the confirmed breach victims already made claims that they received phishing phone calls and emails.
The local data breach notification laws allowed MGM Resorts not to publish the information about the number of the impacted users, although it claimed it contacted each of them individually. The firm only acknowledged the incident in February next year, when it was claimed that 10.6 million customers were affected, although no sensitive data was exposed. MGM Resorts spokesperson confirmed to ZDNet that the company was well aware of the scope of the data breach. The news outlet also claims that the number of impacted guests could be even larger – 200 million.