MGM Resorts 2019 data breach is much larger than initially reported of 10.6 million guests. It is believed to have impacted more than 142 million hotel guests. The hacker is selling the information on the dark web for a price of just over $2,900.

Experts Comments

July 16, 2020
Trevor Morgan
Product Manager
comforte AG
It seems as though what happens in Vegas doesn’t necessarily stay in Vegas. That includes peoples’ sensitive, personal information. While MGM by all accounts has been proactive and responsive in terms of sharing the scope and impact of the breach, they acknowledge the fact that even if financial information was not intercepted, certainly individuals’ personal data was. Regulatory mandates in many jurisdictions, mandates such as GDPR and CCPA, stipulate the due-diligence protection of.....Read More
It seems as though what happens in Vegas doesn’t necessarily stay in Vegas. That includes peoples’ sensitive, personal information. While MGM by all accounts has been proactive and responsive in terms of sharing the scope and impact of the breach, they acknowledge the fact that even if financial information was not intercepted, certainly individuals’ personal data was. Regulatory mandates in many jurisdictions, mandates such as GDPR and CCPA, stipulate the due-diligence protection of private, personal data which could lead to an identified or identifiable data subject. To avoid a breach such as this one from triggering regulatory scrutiny and all the associated negative repercussions, data-centric security measures such as tokenization—which replaces sensitive data with benign and meaningless tokens—can ensure that even if sensitive data finds its way into the general public, nobody would be able to leverage that information for nefarious purposes.  Read Less
July 16, 2020
Boris Cipot
Senior Sales Engineer
Synopsys
Whenever we read or hear about a breach, we immediately begin by wondering how the breach happened, who is behind it, as well as what information was accessed. It fills us with a sense of excitement but also worry, as we wonder what the consequences are and if our own data is impacted. If it is, we are anxious to know what can we do about it. In many cases, we start thinking of the ties we have with the breached organisation. In the case of the Data Viper breach, however, we are in entirely.....Read More
Whenever we read or hear about a breach, we immediately begin by wondering how the breach happened, who is behind it, as well as what information was accessed. It fills us with a sense of excitement but also worry, as we wonder what the consequences are and if our own data is impacted. If it is, we are anxious to know what can we do about it. In many cases, we start thinking of the ties we have with the breached organisation. In the case of the Data Viper breach, however, we are in entirely new territory. In fact, many people do not even know of Data Viper, and yet, this company might have their data. Usernames, passwords, email addresses… All of which have been allegedly stolen. It amounts to more than 2 billion records accumulated over the years from more than 8000 breaches of other organisations. As Data Viper is a cyber security company, data is gathered in order to help law enforcement organisations worldwide and provide paying customers with information about breaches. Yet, when we look deeper, we find that Data Viper may have dabbled in illegal activity of their own. In fact, they gathered data from breaches through false identities in illegal forums, which is prohibited by the US Department of Justice. The reason this breach occurred in the first place appears to be an act of retaliation by cybercriminals upset about being misled in such forums - an interesting turn of events, no doubt. The reason for this breach as well as who is behind it continues to be a mystery that will hopefully be solved soon. Until then, we can still take away two key lessons. Firstly, organisations should not store data they do not need for legitimate business reasons, as just an email or password could be enough to compromise one's identity. Secondly, if an organisation does need to store that data, store it safely and separately from all other data - encrypt it and lock it up. Otherwise, someone could exploit this vulnerability (in this case, reused passwords) and use it against you.  Read Less
July 15, 2020
Jonathan Knudsen
Senior Security Strategist
Synopsys
The scope of the MGM Grand data breach appears to be much wider than originally thought. However, the details are murky. Is the information for sale really legitimate? Was the information pulled from MGM Grand or from a leak monitoring system? We might never know the real story. What is crystal clear, however, is the importance of properly handling sensitive information, both for consumers and for organisations. For consumers, the continual stampede of data breaches shows that much more of.....Read More
The scope of the MGM Grand data breach appears to be much wider than originally thought. However, the details are murky. Is the information for sale really legitimate? Was the information pulled from MGM Grand or from a leak monitoring system? We might never know the real story. What is crystal clear, however, is the importance of properly handling sensitive information, both for consumers and for organisations. For consumers, the continual stampede of data breaches shows that much more of your information is available to a much wider audience than ever before. Be very skeptical when someone uses your information to appear to be a legitimate organisation. As for passwords, make sure you use strong passwords and do not ever reuse the same password across multiple different services. Use two-factor authentication whenever possible. For those building software and systems, security must be front-of-mind in every phase, from design through implementation to maintenance. Security cannot be added on as an afterthought. Sensitive data must be protected in multiple layers, such as strong access controls, encryption for data in transit, and encryption of data at rest. With proper design and implementation, systems can safeguard sensitive information by making the attacker cost prohibitively high.  Read Less
July 15, 2020
Paul Bischoff
Privacy Advocate
Comparitech
MGM Hotel guests should be on the lookout for targeted scams and phishing messages from fraudsters posing as MGM or a related company. These attacks might come via phone or email and might include information such as your name and address in order to make them more personalised and convincing. Never click on links in unsolicited emails, check the spelling of the sender's email domain, and be sure to verify the sender before responding using the contact information found through a Google search.
July 15, 2020
Matt Keil
Director of Product Marketing
Cequence Security
It's not uncommon to see attacks increase across a range of industries due to the discouraged and poor security practice of re-using passwords. This means that MGM, and many other organizations, will be the victims of increased account takeover activity as a result of the Data Viper credentials theft. Interestingly, Data Viper, a purported security company, lost its database as a result of poor API secure coding practices – the developer left their credentials exposed in an API usage.....Read More
It's not uncommon to see attacks increase across a range of industries due to the discouraged and poor security practice of re-using passwords. This means that MGM, and many other organizations, will be the victims of increased account takeover activity as a result of the Data Viper credentials theft. Interestingly, Data Viper, a purported security company, lost its database as a result of poor API secure coding practices – the developer left their credentials exposed in an API usage document. The scope of the breach and the technique used, highlight two areas of weak security practices. The first weakness is the fact that many of the databases collected by Data Viper were the result of poor cloud-based implementations – they had little or no access control and authentication configured, or the API keys were left exposed – so the data was freely accessible to anyone on the web. The second weakness is the developer error of leaving API credentials exposed, an all too common error made by many organizations that are moving (rapidly) to an API-based development methodology.  Read Less
July 15, 2020
Chris DeRamus
VP of Technology Cloud Security Practice
Rapid7
It’s not surprising the MGM Resorts data breach is more extensive than originally thought. Hotels collect highly sensitive information from their guests, including names, phone numbers, home and email addresses, and more. As such, cyberattacks aimed at hospitality organizations are on the rise and MGM is not the first and won't be the last. In recent years, we’ve seen multiple hotel giants, such as Choice Hotels and Marriott’s Starwood Hotels, suffer from costly data breaches. To protect .....Read More
It’s not surprising the MGM Resorts data breach is more extensive than originally thought. Hotels collect highly sensitive information from their guests, including names, phone numbers, home and email addresses, and more. As such, cyberattacks aimed at hospitality organizations are on the rise and MGM is not the first and won't be the last. In recent years, we’ve seen multiple hotel giants, such as Choice Hotels and Marriott’s Starwood Hotels, suffer from costly data breaches. To protect sensitive personally identifiable information, companies need to invest in people, processes, and tools to ensure that they are able to keep data secure. Enterprises must implement a continuous and automated cloud security strategy to detect and remediate threats, such as misconfigurations and compliance violations, in real-time. This allows companies like MGM Resorts to either automate the remediation of those vulnerabilities or alert the appropriate personnel of the issue in real-time before customer privacy is compromised.  Read Less
July 15, 2020
Jake Moore
Cybersecurity Specialist
ESET
Cybercriminals can do a lot of damage with a large list simply containing names and emails so if this is genuine, it could cause people’s identities to be targeted. MGM has made users aware but the latest figure of victims is far bigger than the original total under fire. I would recommend anybody who has ever handed over personal data to MGM to be extremely cautious when opening emails suggesting they are from MGM or partners. Phishing emails that request any further data can be used in.....Read More
Cybercriminals can do a lot of damage with a large list simply containing names and emails so if this is genuine, it could cause people’s identities to be targeted. MGM has made users aware but the latest figure of victims is far bigger than the original total under fire. I would recommend anybody who has ever handed over personal data to MGM to be extremely cautious when opening emails suggesting they are from MGM or partners. Phishing emails that request any further data can be used in conjunction with stolen data from the breach and could be used in a future attack or identity theft. It is now vital that all affected customers are extra vigilant whenever they receive unsolicited emails or emails that appear to be from MGM as these could easily be fake emails with links to a well crafted cloned website. It would have been quite a feat to have not had at least one of your passwords stolen or some of your data compromised in a breach in the last decade so it is widely advised to have separate passwords for each account and only ever hand over limited mandatory information when requested.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.