In 2017, Chinese state-sponsored hackers attacked Marriott Hotels that exposed details of 500 million guests which was then claimed to be the largest hacking operation conducted in association with hotel guest information. On Wednesday, February 19, MGM Resorts confirmed that cybercriminals stole personal data of millions of their guests who stayed at the hotel last summer. As per the reports, the stolen data was posted on a hacking forum.
The leaked data included names, address, and passport numbers of former guests. The people who were impacted due to the attack included celebrities like Justin Bieber and tech CEOs such as Twitter founder Jack Dorsey as well as DHS and TSA officials. It should be noted that MGM has resorts in Las Vegas, Atlantic City and Detroit as well as in China and Japan. They are also developing a new resort in Dubai.
MGM Resorts cybersecurity breach
The MGM hack was first revealed by the ZDNet on Wednesday. As per the analysis, the MGM's hacked data contained personal details of 10,683,188 former hotel guests. They reached out to the guests of the hotel to confirm whether they have stayed in the property last summer.
They said that "We got confirmation from international business travellers, reporters attending tech conferences, CEOs attending business meetings, and government officials travelling to Las Vegas branches."
Cybercriminals posted extracted data
Even though names, address and passport numbers were extracted, MGM said they are sure that no financial information had been exposed. The resort also mentioned that at this time they are unable to say exactly how many guests were impacted due to the data leak.
A spokesperson from MGM stated that "Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter."
As per the reports, MGM claimed that most of the stolen data included phonebook information such as names, telephone numbers and email addresses. After the attack, they notified almost 1,300 former guests' sensitive information including passport numbers had been revealed, while a further 52,000 guests were told that less sensitive personal data was leaked.
While in most of the US states companies don't require to inform the customers if already publicly available data was hacked, the Resort chain has notified the customers following the state laws. As per the security research company Under the Breach, the exposed data is now a treasure trove for contact details of many high-profile users, working for big tech firms and government organizations. They also said that "These users now face a higher risk of receiving spear-phishing emails, and being SIM swapped."