MGM Resorts Data Breach Exposes Personal Info of 10.6 Million Guests

Were you hacked at your last stay at an MGM Grand property? Personal data details of some 10.6 million guests was reportedly posted on a hacker forum this week. MGM confirmed that the breach took place last year. It says the company reported the breach to residents of states that require reporting of breaches of “phonebook data.”

Source: Forbes | Published on February 21, 2020

Hacker using laptop. Hacking the Internet.

A ZD Net report says that it’s not just holiday travelers whose data was exposed. Personal and contact information was leaked for celebrities, reporters and perhaps most worryingly, for US military and government officials and executives at technology companies. Two names mentioned are Justin Bieber and Twitter CEO Jack Dorsey.

”Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter,” said an MGM spokesperson. “MGM Resorts promptly notified guests potentially impacted by this incident in accordance with applicable state laws.”

Similar breaches of customer data security at Equifax, one of the largest credit reporting services, and Marriott Hotels have been potentially linked to Chinese military intelligence. The Marriott breach, of the Starwood reservation database, may have exposed the data of up to 500 million customers. Some believe that hotel chains like MGM and travel companies have become a target for Chinese espionage because of all their stored data on US executives of high-tech companies as well as officials with security clearances.

When MGM discovered the breach in 2019, a spokesperson said the company “retained two leading cybersecurity forensics firms to assist with its internal investigation, review and remediation of the issue.”

MGM says it has strengthened and enhanced its network security to prevent future breaches. And based on the investigation, a source close to the company insists that the vast majority of information lifted was “phonebook data.” Such information like first/last name, address, phone number, and, perhaps, date of birth, can be found in a phonebook or Google search. The company seems confident that no financial information or passwords were exposed.