Last summer, personal information of 10.6 million guests staying at MGM Resorts hotels was compromised. ZDNet first revealed the hack on Wednesday, claiming the stolen information had been posted to a hacking website this week. MGM confirmed to the BBC that the attack had taken place.
The exposed data included former visitors full names, home address, date of birth and passport numbers. MGM said that it was “confident” that no financial information was released. The resort chain said it couldn’t tell exactly how many people had been impacted because information that was revealed could be duplicated. Reportedly, the data does not contain information from guests who stayed at the resorts after 2017.
A spokesperson for MGM Resorts said: “Last summer, we discovered unauthorised access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter.”
MGM said most of the stolen data was “phonebook information” such as names, phone numbers and email addresses, which are already available to the public. Yet about 1,300 former guests were informed that more sensitive information had been released, including passport numbers. A further 52,000 consumers were told they revealed less sensitive personal information. That was just a portion of those that were affected.
MGM has said that its consumer contact meets state laws. Most US states do not require businesses to tell customers if a hack has compromised data which is already public.
According to ZDNet, celebrities such as Justin Bieber and Twitter CEO Jack Dorsey were reportedly among those who were affected. Many targeted would also include officials from government, including Homeland Security Department and Transportation Safety Administration; frequent visitors, reporters, and FBI agents. That has not been confirmed by MGM. ZDNet said a security researcher from Under the Breach, a soon-to-be-launched data breach monitoring service, had checked the validity of the data.
MGM has casinos in the United States, in Las Vegas, Atlantic City and Detroit. It also owns property in China and Japan, and is developing a new Dubai resort. The casinos in Las Vegas also attract thousands of visitors to casino tournaments, boxing matches and UFC games.
Cyber-attackers can use all sorts of information to threaten a person online, even less sensitive data. This isn’t the growing theft of information about hotel guests. Marriott Hotels experienced a much greater data breach in 2017 which exposed 500 million guests. The assault was linked to hackers funded by the Chinese state.