MGM Resorts has
confirmed there was unauthorized access to one of the company’s cloud servers in
2019 that contained information on a reported 10.6 million guests, possibly
including several high-profile guests.

MGM did not confirm the
number of people involved, but ZD
Net working with the new security firm Under
the Breach reportedly found data on 10,683,188 that SC Media was able to confirm included full
names, home addresses, phone numbers, emails, and dates of birth, posted to a hacking
forum.

“Last summer, we
discovered unauthorized access to a cloud server that contained a limited
amount of information for certain previous guests of MGM Resorts. We are
confident that no financial, payment card or password data was involved in this
matter,” MGM Resorts told SC Media in a statement.

The company believes no financial data or passwords were included in the data dump, adding it has informed the customers involved.

However, Ray Walsh, data
privacy advocate at ProPrivacy, said some customers did have more sensitive
data exposed.

“MGM Resorts has claimed
that no financial, card payments or passwords were stolen during the breach.
However, it would appear that at least 1,300 individuals had extremely
sensitive data stolen during the incident – including personal information from
their driver’s license, passport, and even military ID cards,” he said.

The company did not say
exactly how or why the cloud server was exposed, but Matt Walmsley, EMEA
Director at Vectra, believes is likely one of the normal causes behind such
breaches.

“MGM has acknowledged a
cloud ‘server exposure’. This could have easily been caused from poor cloud
configuration and security hygiene, or from offensive attacker behaviors. As
practitioners, we need to stop treating cloud separately from a security
perspective,” he said.

MGM Resorts said it promptly
notified guests potentially impacted by this incident in accordance with
applicable state laws, retained two cybersecurity forensics firms to assist
with its internal investigation, review and remediation of the issue.

The fact that the breach
happened about seven months ago without any public disclosure may have led MGM
to believe the data was not going to be used by the thieves, but as with many breaches
malicious actors sometimes wait months or years to tip their hand, said Adam
Laub, CMO, STEALTHbits Technologies:

“This is a great example
of how these breaches and their fallout can continue to haunt businesses for
quite some time. It’s likely MGM thought this incident was far in the rear
view, but the value of their particular dataset continues to have appeal,
despite its age and the potential staleness in certain spots,” Laub said.

Hotel chains and travel
companies were major targets for cybercrimials in 2019 with several being hit
with Magecart card skimming malware and others suffering from exposed cloud servers
like MGM Resorts.

• Choice
  Hotels in August 2019 had an open MongoDB database discovered with information
  on 700,000 customers being taken and then held for ransom.
• Two unnamed hotel
  chains discovered Magecart on their third-party online booking software.
• In May 2019
  it was found the Pyramid
  Hotel Group stored security info on openly accessible Elasticsearch server
  with 85.4GB of data.
• A bug in the
  Amadeus
  online reservation system which is used by 44 percent of the international air carrier
  market made it possible to access and change reservations with just a booking
  number.