Skip to main content

MGM data breach was far worse than originally thought

(Image credit: Shutterstock / Andrew Zarivny)

Millions more MGM Resorts guests were compromised than first thought, in a data breach that took place in the summer of 2019 and came to light earlier this year.

In February, TechRadar Pro reported that the details of 10.6 million customers had been acquired by hackers. However, the actual figure was revealed to be magnitudes greater, after the personal records of roughly 142.5 million guests were put up for sale on an underground marketplace.

Available for $2,900 worth of either Bitcoin or Monero, the database is said to contain personally identifiable information such as names, postal and email addresses, phone number and dates of birth, but no financial information.

MGM data breach

The MGM breach came about as a result of a security vulnerability in one of the hotel chain’s cloud servers, which allowed hackers to siphon information about previous guests, including Twitter CEO Jack Dorsey and pop star Justin Bieber.

After uncovering the incident, MGM alerted the affected customers as per applicable data protection regulations, but did not publish any information about the breach.

The attack first came to light after the details of 10.6 million customers were posted to an online hacking forum - a data set that now appears to account for only a small proportion of the total number of guests affected.

The hacker responsible for the newly listed database, containing millions of additional records, claims to have scraped the data during a recent attack on data leak monitoring service DataViper.

However, the founder of DataViper parent company Night Lion Security has disputed the assertion, which he referred to as an attempt to tarnish the reputation of his business.

MGM claims to have always been aware of the total number of guests compromised, which the firm was not legally obliged to disclose.

“MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation,” said the company. 

It could later emerge, however, that the breach is even larger than the 142.5 million figure that came to light today, with a post to one Russian hacking forum boasting of a database stocked with information on upwards of 200 million MGM customers.

Via ZDNet