The MGM Resorts 2019 data breach is much larger than initially reported, and is now believed to have impacted more than 142 million hotel guests, and not just the 10.6 million that ZDNet initially reported back in February 2020.
The new finding came to light over the weekend after a hacker put up for sale the hotel’s data in an ad published on a dark web cybercrime marketplace.
According to the ad, the hacker is selling the details of 142,479,937 MGM hotel guests for a price just over $2,900.
The hacker claims to have obtained the hotel’s data after they breached DataViper, a data leak monitoring service operated by Night Lion Security.
Vinny Troia, founder of Night Lion Security, told ZDNet in a phone call that his company never owned a copy of the full MGM database and that the hackers are merely trying to ruin his company’s reputation.
MGM was aware of the scope, chose to stay silent
Reached out for comment on Sunday, MGM Reports issued a statement claiming they were aware of the scope of the breach.
The MGM breach occurred in the summer of 2019 when a hacker gained access to one of the hotel’s cloud servers and stole information on the hotel’s past guests.
MGM learned of the incident last year, but never made the security breach public, choosing instead to notify impacted customers, according to local data breach notification laws.
The rest of the world eventually learned of the hack in February 2020 after ZDNet received a tip about a batch of 10.6 million MGM hotel guests’ data being offered as a free download on a hacking forum.
At the time, MGM admitted to suffering a security breach, but the company didn’t disclose the full breadth of the intrusion.
“MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation,” an MGM spokesperson told ZDNet in an email today, referring to the company’s legal obligations to notify impacted users.
There are no legal obligations for companies to disclose exact statistics about their breaches, as long as they notify all affected users.
An MGM spokesperson also pointed out that “the vast majority of data consisted of contact information like names, postal addresses, and email addresses.”
Financial information, ID or Social Security numbers, and reservation (hotel stay) details were not included, MGM said in February, which ZDNet is able to confirm after reviewing two different batches of MGM data — the 10.6 million user records leaked in February and a newer 20 million batch shared by the hackers on Sunday.
Dates of birth and phone numbers were also included, which is how we were able to confirm the breach in the first place, by contacting past hotel guests.
Bigger than 142 million?
However, the MGM data could be even bigger than the 142 million count we have today.
Irina Nesterovsky, Head of Research at threat intel firm KELA, told ZDNet back in February that the MGM data had been circulating and was being sold in private hacking circles since at least July 2019.
Posts on Russian-speaking hacking forums promoted the MGM data breach as containing details on more than 200 million hotel guests.
In hindsight of the new revelation, MGM still declined to share a total user count for the entire breach.
The company is caught between the proverbial rock and a hard place. If the company reveals the full scope of the breach, it stands to be lambasted in the media for suffering a giant security breach, and attempting to hide it.
However, after thoroughly reviewing the two different sets of MGM user data samples of over 30 million records, ZDNet can confirm that for a large number of hotel guests, the only detail included was their name, with little other information. So, this was a mega breach, but one with little consequences for many of MGM’s customers, who only had their names leaked, and nothing else. Nonetheless, millions of other hotel guests were not so lucky.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .