The MGM Resorts 2019 data breach is much larger than initially reported, and is now believed to have impacted more than 142 million hotel guests, and not just the 10.6 million that ZDNet initially reported back in February 2020.
The new finding came to light over the weekend after a hacker put up for sale the hotel’s data in an ad published on a dark web marketplace. According to the ad, the hacker is selling the details of 142,479,937 MGM hotel guests for a price of just over $2,900.
More information:
It seems as though what happens in Vegas doesn’t necessarily stay in Vegas. That includes peoples’ sensitive, personal information. While MGM by all accounts has been proactive and responsive in terms of sharing the scope and impact of the breach, they acknowledge the fact that even if financial information was not intercepted, certainly, individuals’ personal data was.
Regulatory mandates in many jurisdictions, mandates such as GDPR and CCPA, stipulate the due-diligence protection of private, personal data which could lead to an identified or identifiable data subject. To avoid a breach such as this one from triggering regulatory scrutiny and all the associated negative repercussions, data-centric security measures such as tokenization—which replaces sensitive data with benign and meaningless tokens—can ensure that even if sensitive data finds its way into the general public, nobody would be able to leverage that information for nefarious purposes.