The 2019 data breach at luxury hotel chain MGM Resorts appears to be much larger than originally reported after researchers recently found 142 million hotel guests’ personal details for sale on the dark web.
Last summer’s data breach was initially reported to impact 10.6 million hotel guests after hackers were able to gain unauthorized access to a cloud server. This breach gained significant attention from the media after it was reported that high profile guests including Twitter CEO Jack Dorsey and Justin Bieber were even impacted by the breach.
According to ZDNet, an advertisement recently posted on the dark web reads, “MGM Resorts was hit by cybercriminals, first reported by ZDNet, who listed personal and contact details for 10.6 million hotel guests, including celebrities, employees and government officials. However, what was not reported was that MGM Grand Hotels was also breached, consisting of 142 million entries.”
The hacker behind the ad is looking to sell the personal information of approximately 142,479,937 MGM guests for $2,939, with information including first names, last names, street addresses, email address, phone numbers and dates of birth. While sensitive financial information and Social Security numbers have not been compromised in this breach, the information available is more than enough to give identity thieves a head start in their attack efforts.
The hacker behind this attack claims to have gained access to the treasure trove of data after hacking into a threat-intelligence monitoring platform called DataViper owner by Night Lion Security. Founder of Night Lion Security, Vinny Troia, adamantly denies this claim and says that the company has never owned a copy of the full MGM database. He claims that hackers are just trying to destroy his company’s reputation. However, news broke this week after an investigation from Brian Krebs found that DataViper’s systems had been targeted by hackers and recorded 8,200 databases stolen. According to Krebs, DataViper provides access to “some 15 million usernames passwords, and other information exposed in more than 8,000 website breaches.” It’s alleged that hackers have posted its databases online, including over 2 billion records collected from past data breaches.
MGM learned of the data breach last year, but never went public with this incident. However, according to local data breach notification laws, the company did notify impacted customers of the security incident. When reached for comment, an MGM spokesperson told ZDNet that, “MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation.”
However, the stolen data could be even bigger than the 142 million count that stands today. Threat intelligence firm KELA told ZDNet in February that the MGM data had been circulating and was being sold in private hacking forums since July of last year. It’s also been reported that ads on Russian-speaking hacking forums promoted the MGM data breach as containing personal information on over 200 million hotel guests.
Share this post