MGM Data Breach 14x Higher than Initially Thought
In February 2020, HT reported that MGM had suffered a data breach affecting approximately 10.6 million guests. At the time, MGM Resorts had confirmed that the information posted to the dark web stemmed from an earlier security breach the company had experienced in 2018 when one of its cloud servers was hacked.
However, it seems this sale of 10.6 million guest data points was only the tip of the iceberg. ZDNet.com reports that over the weekend, a hacker put up for sale data points from more than 142 million MGM hotel guests for just over $2,900.
Number of Consumers Affected
However, the scale of the breach could be even bigger. According to ZDNet, some posts on Russian-speaking hacking forums promoted the MGM data breach as containing details on more than 200 million hotel guests.
“The scale of this breach is alarming, and in the context of other recent breaches it’s high on the list in terms of volume,” says Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions.
On the other hand, it might not be quite as large as 142+ million unique guests.
“It’s important to be very careful about the raw number reports of lost records during breaches. Besides the affected company sometimes under reporting breach numbers, the number you get from criminal marketplace sellers is also sometimes higher than you might realize,” according to Corey Nachreiner, CTO, WatchGuard Technologies. “Usually, if a seller is selling a database with 142 million records, that is literally the raw number of database entries. HOWEVER, one database entry doesn’t always match 1 to 1 to the number of customers in that database. Database tables are often messy, containing duplicates, incomplete entries, and so on. Usually, the number is a little lower than the raw record entries.”
Tom Pendergast, Chief Learning Officer at MediaPro, a Seattle, Washington-based provider of cybersecurity and privacy education, isn’t as concerned as much by how many people were affected by the data breach as he is on how the company reacts once it has learned of it.
“What we should ask of companies is not that they have an immediate and exact count of records exposed or even individuals whose data is exposed—it’s tricky sorting out duplicates, cross-tabulating records, etc.,” Pendergast explains. “What we should ask is that they notify individuals affected as soon as they possibly can, and that all individuals exposed should be notified. That process will ultimately lead to a number, but it’s not the number I worry about—it’s the transparency the companies show and the speed with which they notify and seek to protect individuals. This is not a compliance duty and it’s not a race, it’s a moral duty that companies have to the individuals who entrust them with their data. Period.”
Breaches Affect Consumers Long-Term
Some might wonder why hackers are selling the information from this data breach in bits and pieces instead of in one big data dump. Well, that’s just the way the game is played.
“Unfortunately, data breaches can impact victims for months, or even years, beyond the initial exposure,” says Anurag Kahol, CTO, Bitglass. “This is due to cybercriminals continually selling data on the dark web and leveraging the information to launch extremely targeted phishing scams.”
Why MGM Was Mum on Breadth of Attack
So why didn’t MGM notify its clients back in February that the attack was much larger than the 10 million records that were initially reported on. The answer is complicated and revolves around being able to answer the question: How much did they really know?
If they hired the best investigators and those investigators incorrectly reported that only 10 million records were breached, MGM may have done all that was in their power to do at the time, Nachreiner says.
“It’s quite possible for forensic investigators or even the business in question to be unsure of how big the breach really was,” Nachreiner adds. “They may simply have been ignorant of the full scale of the breach.”
However, when ZDNet reached out to MGM for comment, they issued a statement saying they were “aware of the scope of the breach.”
If MGM withheld the scope of the breach because it was worried about losing consumer trust and sustaining damage to its brand image, that's something that “can be disastrous to a company, impacting profits and long-term survival,” says Don Heckman, leader of Guidehouse's Cybersecurity privacy and data protection capability offerings for Public and Commercial Sector clients.
“I can understand why a company would be hesitant to publicly report a major data breach, but I believe that consumers would be more understanding if they saw companies taking a proactive approach to address data breaches instead of trying to hide or downplay them,” Heckman adds.
Nachreiner agrees.
“I would argue they should have publicly informed ALL customers, even if they only knew of 10 million affected users,” Nachreiner explains. “If you’ve been breached, you should assume the attackers had access to more than you know or can prove. In short, it comes down to protecting your customers. Less transparency is less protection, and time for the customer to act to protect themselves.”
In hospitality, there is a common adage that is often heard on trade show floors and at events: "It's not if but when you'll be the victim of a data breach." For this reason, "companies of all sizes [...] need to have a proper plan in place if a data breach does occur," says Heather Paunet, Senior VP of Products & Marketing at Untangle. "They need to ensure they have ways to know what data was compromised, when and how they will communicate with their customers, and when incidents need to be publicly reported. Not being transparent about the extent of the data breach, or worse yet, not having any systems in place to determine the extent of the data breach, can cause irreparable damage to the company’s reputation."
Cloud Computing Isn't Infallible
“Initially it was reported as an unauthorized access due to a misconfiguration of the cloud services hosting MGM’s data,” says Heckman. "But now a hacker is claiming to have exploited a third-party data leakage monitoring service provider to gain access to MGM’s data. Both claims may be true.”
If the data was gained by access to the cloud, this indicates that cloud environments might not be as secure as was once thought.
“Cloud environments are rapidly rising as a source of risk for the enterprise,” Vinay Sridhara, CTO of AI-backed cybersecurity posture transformation company Balbix. “Organizations, particularly those in targeted industries like hospitality, need tools that can effectively monitor cloud or hybrid environments for risk. When hacked information circulates around the dark web for years, every piece of data needs to be considered critical and must be stored securely.”
Heckman agrees.
“Misconfigurations, poorly implemented identity and access management solutions and insecure interfaces are some key challenges facing companies as they move their operations to the cloud and leverage third party service providers,” Heckman notes. “Having a well-thought-out cybersecurity strategy and architecture that includes understanding your high value assets, data and threats and addresses risks and vulnerabilities including those introduced by the supply chain is critical to securely operating in the cloud.
SOME GOOD NEWS
One bright spot amid all of this is that the information breached seems to be rather unimportant, which is what MGM has claimed all along.
"Based on the cost of the data, it is likely that there isn’t much profitable information in the leak," says William Mendez and Eric Freeman from CyZen, a Friedman LLP Company. "Most of this data goes for much higher than $2,900 for 142 million records of PII. Meaning, there isn’t much data for an attacker to pivot with to increase the monetary value of the data (i.e. passwords that can be reused for a breach; credit card information that can be used to purchase items). This information can only really be used for social engineering campaigns that would provide additional access."
Ways to Mitigate Future Breaches
So what can other hospitality organizations do to prevent a similar attack from occurring within their business?
“To mitigate the risks of future data breaches and protect sensitive data, hospitality organizations and other companies need to have full visibility and control over their data,” says Kahol. “By leveraging multi-faceted solutions that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at rest, and manage the sharing of data with external parties, and prevent data leakage, organizations can ensure the privacy and security of customer information.”
But that’s not all.
“To protect sensitive personally identifiable information, companies need to invest in people, processes, and tools to ensure that they are able to keep data secure,” says Chris DeRamus, VP of Technology, Cloud Security Practice, DivvyCloud by Rapid7. “Enterprises must implement a continuous and automated cloud security strategy to detect and remediate threats, such as misconfigurations and compliance violations, in real-time. This allows companies like MGM Resorts to either automate the remediation of those vulnerabilities or alert the appropriate personnel of the issue in real-time before customer privacy is compromised.”
Visibility is also key. Recent hospitality breaches within the hospitality have happened in a multitude of ways. For example, Marriott said that employee login credentials were used to access to guest information in 2020; additionally, their guest database was victim of unauthorized access in 2019. Choice Hotels said they had an error in the Safari browser that could have likely occurred on either a Mac or an iOS device. MGM noted a hacked cloud server, and Drury and MGM customers were victims of third party services being attacked.
“The variety of these attacks shows that organizations need to have visibility into every possible point of entry on the spectrum of risk - from back end infrastructure to mobile devices,” says Hank Schless, Senior Manager, Security Solutions at Lookout. “Not only do they need to secure their services, but they also need to ensure that any employee device that accesses corporate data is protected, especially now when employees are relying more heavily on mobile devices to access that data as part of the shift to remote work.”
And to secure the cloud, specifically, companies should be ensuring their portion of the cloud solution is patched and configured, has robust identity and access management with multi-factor authentication (and least privilege principals), data encryption at rest and in transit, and proactive monitoring and incident response plans, Heckman notes.
“Companies should also consider their supply chain including third party service providers as a part of their cybersecurity program,” Heckman adds. “You’re only as strong as your weakest link. Cybercriminals will continue to target every industry sector including hospitality to steal data and commit fraud. Consumers need to minimize the information they provide to companies and remain vigilant in monitoring their online accounts.”