MGM Resorts 2019 data breach is much larger than initially reported of 10.6 million guests. It is believed to have impacted more than 142 million hotel guests. The hacker is selling the information on the dark web for a price of just over $2,900.
MGM Resorts has said that the set of data obtained through breach includes contact information like names, postal addresses, and email addresses guests.https://t.co/3GKFvTojDG
— Financial Express (@FinancialXpress) July 14, 2020
It seems as though what happens in Vegas doesn’t necessarily stay in Vegas. That includes peoples’ sensitive, personal information. While MGM by all accounts has been proactive and responsive in terms of sharing the scope and impact of the breach, they acknowledge the fact that even if financial information was not intercepted, certainly individuals’ personal data was.
Regulatory mandates in many jurisdictions, mandates such as GDPR and CCPA, stipulate the due-diligence protection of private, personal data which could lead to an identified or identifiable data subject. To avoid a breach such as this one from triggering regulatory scrutiny and all the associated negative repercussions, data-centric security measures such as tokenization—which replaces sensitive data with benign and meaningless tokens—can ensure that even if sensitive data finds its way into the general public, nobody would be able to leverage that information for nefarious purposes.
Whenever we read or hear about a breach, we immediately begin by wondering how the breach happened, who is behind it, as well as what information was accessed. It fills us with a sense of excitement but also worry, as we wonder what the consequences are and if our own data is impacted. If it is, we are anxious to know what can we do about it. In many cases, we start thinking of the ties we have with the breached organisation.
In the case of the Data Viper breach, however, we are in entirely new territory. In fact, many people do not even know of Data Viper, and yet, this company might have their data. Usernames, passwords, email addresses… All of which have been allegedly stolen. It amounts to more than 2 billion records accumulated over the years from more than 8000 breaches of other organisations.
As Data Viper is a cyber security company, data is gathered in order to help law enforcement organisations worldwide and provide paying customers with information about breaches. Yet, when we look deeper, we find that Data Viper may have dabbled in illegal activity of their own. In fact, they gathered data from breaches through false identities in illegal forums, which is prohibited by the US Department of Justice. The reason this breach occurred in the first place appears to be an act of retaliation by cybercriminals upset about being misled in such forums – an interesting turn of events, no doubt.
The reason for this breach as well as who is behind it continues to be a mystery that will hopefully be solved soon. Until then, we can still take away two key lessons. Firstly, organisations should not store data they do not need for legitimate business reasons, as just an email or password could be enough to compromise one\’s identity. Secondly, if an organisation does need to store that data, store it safely and separately from all other data – encrypt it and lock it up. Otherwise, someone could exploit this vulnerability (in this case, reused passwords) and use it against you.
The scope of the MGM Grand data breach appears to be much wider than originally thought. However, the details are murky. Is the information for sale really legitimate? Was the information pulled from MGM Grand or from a leak monitoring system? We might never know the real story.
What is crystal clear, however, is the importance of properly handling sensitive information, both for consumers and for organisations.
For consumers, the continual stampede of data breaches shows that much more of your information is available to a much wider audience than ever before. Be very skeptical when someone uses your information to appear to be a legitimate organisation.
As for passwords, make sure you use strong passwords and do not ever reuse the same password across multiple different services. Use two-factor authentication whenever possible.
For those building software and systems, security must be front-of-mind in every phase, from design through implementation to maintenance. Security cannot be added on as an afterthought. Sensitive data must be protected in multiple layers, such as strong access controls, encryption for data in transit, and encryption of data at rest. With proper design and implementation, systems can safeguard sensitive information by making the attacker cost prohibitively high.
MGM Hotel guests should be on the lookout for targeted scams and phishing messages from fraudsters posing as MGM or a related company. These attacks might come via phone or email and might include information such as your name and address in order to make them more personalised and convincing. Never click on links in unsolicited emails, check the spelling of the sender\’s email domain, and be sure to verify the sender before responding using the contact information found through a Google search.
It\’s not uncommon to see attacks increase across a range of industries due to the discouraged and poor security practice of re-using passwords. This means that MGM, and many other organizations, will be the victims of increased account takeover activity as a result of the Data Viper credentials theft.
Interestingly, Data Viper, a purported security company, lost its database as a result of poor API secure coding practices – the developer left their credentials exposed in an API usage document. The scope of the breach and the technique used, highlight two areas of weak security practices. The first weakness is the fact that many of the databases collected by Data Viper were the result of poor cloud-based implementations – they had little or no access control and authentication configured, or the API keys were left exposed – so the data was freely accessible to anyone on the web. The second weakness is the developer error of leaving API credentials exposed, an all too common error made by many organizations that are moving (rapidly) to an API-based development methodology.