On Feb. 19, technology website ZDNet.com reported that the personal details of 10.6 million guests who had stayed at MGM Resorts International were recently published on a hacking forum. Details reportedly included full names, home addresses, phone numbers, emails and dates of birth. MGM confirmed to ZDNet that this information stems from an earlier security breach the company experienced in 2018 when one of its cloud servers was hacked, but that no financial, payment card or password data was breached.
While the company said that the data stolen was “phonebook data” or information that can be found via a Google search, a new lawsuit (filed on Feb. 21 in Nevada District Court by Morgan & Morgan) alleges that this is not the case. According to the BBC, the lawsuit states that the stolen data includes driver’s license numbers, passport numbers, and military identification numbers of some of the guests that stayed at an MGM property.
While at first glance, it might seem as if this data breach is “less serious” because there were no payment security details released, there are still some very serious concerns surrounding the nature of the information released. For instance, ZDNet confirmed that in many cases the information released belongs to high-profile individuals including: celebrities, members of the military, and people with email addresses connected to the Department of Homeland Security, the Justice Department, the FBI and the Transportation Security Administration. These users now face a much higher risk of receiving spear-phishing emails and being SIM-swapped, ZDNet noted.
Additionally, the plaintiff leading the class-action lawsuit against MGM is a California resident. California recently implemented CCPA (California Consumer Privacy Act) which could possibly be used to fine MGM. Additionally, if any of the guest data leaked was from European Union citizens, GGDPR could be involved and another fine could be levied.
HT asked security experts to weigh in on this data breach. Here is what a few of them had to say:
Paul Martini, CEO, iboss
The hospitality industry — which is going through a digital transformation — is particularly appealing to hackers because of the huge opportunity for lateral attacks and amount of personal data hotels have of millions of people worldwide. When checking into a hotel, you have to give your name, ID — which is often a passport — and credit card information. Individual hotels register hundreds or thousands of people on a daily basis, especially in a tourism-driven city like Las Vegas. What’s particularly troubling about this attack is that because so much personal data was exposed, millions of people are now vulnerable to further, targeted spear-phishing attacks.
Ray Walsh, data privacy advocate, ProPrivacy
MGM Resorts has claimed that no financial, card payments or passwords were stolen during the breach. However, it would appear that at least 1,300 individuals had extremely sensitive data stolen during the incident - including personal information from their driver’s license, passport, and even military ID cards. For those particular victims, the data that was breached last summer could be putting them at risk of identity theft and fraud.
Whenever consumer data could potentially be leveraged for the purposes of identity theft, it is vital for that information to be stored in a manner that ensures it is completely secure. Once sensitive data has been utilized for the purposes it was originally intended for, it is sensible for businesses to delete that data to ensure that it isn't laying around unnecessarily on their systems waiting to be breached. GDPR affects all businesses that hold data about EU citizens, the same is true of CCPA which affects businesses holding data about Californian residents that meet one of the three specifications laid out in the regulation. This means that any MGM customers who visited from the EU or California may have had their privacy rights affected by the incident, and MGM Resorts may end up being investigated to see whether it did enough to protect consumer data in accordance with those regulations.
Justin Fox, director of DevOps at NuData Security, a Mastercard company
The information on celebrities, tech CEOs, reporters, government officials, and employees represents a valuable treasure trove of information for cybercriminals who are selling it and for those that will be using it. All customer information is valuable to fraudsters. Name, physical, and email addresses, passwords, the content of emails – everything can be used to compile an identity, takeover accounts or open new credit lines.
This type of stolen data is why so many organizations – from the hospitality sector through to eCommerce companies, financial institutions and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioral analytics that identify customers by their online behavior thus mitigating post-breach damage as hackers are not able to impersonate individual behavior