Stolen information of 10.6 M MGM resort guests was posted to a hacking forum, which is easily accessible to anyone.
MGM Resorts International is an American company operating in Las Vegas, Atlantic City as well as properties in China and Japan. It’s Las Vegas resorts attracts thousands of guests for casino tournaments, boxing matches and UFC fights.
“Last summer, we discovered unauthorised access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” the spokesperson for MGM resorts said.
Personal Information exposed
The data included 10,683,188 personal information of former MGM guests, with their full names, email, street addresses, phone numbers and date of birth of high profile guests including Twitter CEO Jack Dorsey, pop star Justin Bieber and officials from the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) as well as regular tourists, reporters and FBI agents.
“About 1,300 individuals had more sensitive data from their driver’s license, passports or military ID cards exposed,” reported The New York Times.
The data contains no information from guests who stayed at the resorts after 2017.
MGM said that they are confident that no financial or password data was involved in the security incident.
All impacted hotel guests are notified in accordance with applicable state laws. The exact number of impacted people are unable to predict as the information that was exposed might be duplicated.
Many of the phone numbers were valid, leading to a higher risk of receiving spear-phishing emails and being SIM swapped.
“At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again,” the company said.
MGM Resorts hired two cybersecurity forensics firms to conduct an internal investigation.
You may be interested in reading: ASP.NET Hit by Ransomware