There have been reports of a cyber attack, where personal data of 10.6 million guests staying at MGM Resorts hotel during the summer of 2019 may have been released by hackers.
MGM confirmed the attack to the BBC, after ZDNet reported that the hacked information was posted to a hacking forum, exposing names, addresses and passport numbers of the guests.
According to ZDNet, celebrities such as Justin Bieber and Twitter founder, Jack Dorsey, were among the guests that may have been hacked. However, MGM has not confirmed this.
1,300 guests were told that that more sensitive data, like passport numbers, were hacked and an additional 52,000 were told that less sensitive personal information was exposed. Despite this, cyber attackers are generally skilled in using the least sensitive data to target an individual online.
A spokesperson for MGM resorts said: “Last summer, we discovered unauthorised access to a cloud server that contained limited amount of information for certain previous guests of MGM Resorts.
“We are confident that no financial, payment card or password data was involved in this matter.”
In 2017, Marriott Hotels experienced a similar attack, when it had the information of 500 million guests hacked. This became the largest hacking of hotel guests.
Becky Nicholson, Data Privacy Expert working across multiple industries to assist organisations with data protection and data breach issues and also Consultant at Bridewell Consulting, commented:
“We are in danger of becoming numb to data breaches, due to the frequency and scale they are being reported. All organisations must take steps to protect their systems and ultimately customer data. This means taking basic steps such as putting in place regular security assessments, a strong patching and password policy, and enforcement of multi-factor authentication on every public facing system. These are not silver bullets but can go a long way to improving security.
“At this stage, it’s not clear how the hacker managed to gain access to MGM’s cloud server. However, technical defence is still paramount, and in particular, regular penetration testing is vital. It’s also just as important to test employee awareness. Employees will always be the weakest link but with the right education can be an organisation’s biggest asset in terms of defence. Such employee awareness training can also be measured by regular phishing or red team assessments” she added.
Ekaterina Khrustaleva, COO of web security company ImmuniWeb, also added: “This particular incident reportedly contains only the victims’ PII*, so it is not all that perilous or likely to be used for blackmailing. We should, however, not underestimate the overall impact of the breach. It provides a wide spectrum of efficient attack scenarios for cyber criminals, spanning from spear phishing to BEC and Whaling. Victims should be cautious about any incoming messages, calls or emails. Those whose passwords or secret answers can be inferred from the compromised data need to urgently consider changing their passwords and secret questions if they have not yet done so.”
“This data breach is comparatively insignificant in light of the exposed details. Almost every day, cyber criminals on various Dark Web marketplaces offer stolen data coming from hotels and resorts, and not that infrequently the data contains extremely sensitive information about guests’ preferences and stay.”
Why should you attend IFSEC International?
19-21 May 2020, ExCeL London
If thousands of products and solutions provided by hundreds of leading security suppliers doesn’t tempt you, why not consider:
- The full programme of seminars and presentations from industry thought leaders?
- The live on-stand demonstrations of the most innovative products?
- Thousands of fellow professionals and ample spaces for networking?
- The chance to expand your business and grow your network?