Cybersecurity experts commented tonight on breaking news that the personal details of more than 10.6 million users who stayed at MGM Resorts hotels have been published on a hacking forum this week. Besides details for regular tourists and travelers, included in the leaked files are also personal and contact details for celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies.
Exclusive: Details of 10.6 million of MGM hotel guests posted on a hacking forum
– Leak took place in July 2019
– Customers notified in August 2019
– Leak traced back to a misconfigured cloud server
– Data was posted online this weekhttps://t.co/z6HLJfVW5V pic.twitter.com/9UpFOr9t42— Catalin Cimpanu (@campuscodi) February 19, 2020
This breach is significant and the dumping of a treasure trove of customer details once again underlines the importance of having the same security levels for data that’s on premise, as for data stored in the cloud, to reduce the risks associated with hacks such as this. It’s a near-universal challenge for enterprises: the move to hybrid environments and more complex, fragmented networks makes it even harder to keep control. Without consistent policies you can pretty soon have a tangle of security gaps and compliance violations.
Last summer, MGM discovered unauthorized access to a cloud server that contained guest information. The issue with MGM and similar breaches is that businesses are not adequately securing consumer data – whether in the cloud, in their network or at the point of intake – leaving personal information in the \’clear\’ and just waiting to be stolen. Companies need to devalue this data with security technologies like encryption and tokenization, otherwise these compromises will continue to happen
Unfortunately, users’ data being exposed and made available to a wide range of bad actors is so commonplace in today’s connected world.
Organisations who hold any personal data of their customers must really improve their protection of such data.
There are technologies available today which can be used in a multifaceted security strategy. There is much “talk” about Zero Trust strategy. Organisations need to be taking action to move towards this as a priority. Security Analytics and Automation will provide the right foundations for delivering on Zero Trust and provide better security for their customers’ data as well as the organisations critical data and Intellectual Property.
Unfortunately, users’ data being exposed and made available to a wide range of bad actors is so commonplace in today’s connected world.
Organisations who hold any personal data of their customers must really improve their protection of such data.
There are technologies available today which can be used in a multifaceted security strategy. There is much “talk” about Zero Trust strategy. Organisations need to be taking action to move towards this as a priority. Security Analytics and Automation will provide the right foundations for delivering on Zero Trust and provide better security for their customers’ data as well as the organisations critical data and Intellectual Property.”
Cloud servers have been a consistent feature in many of the biggest data breach stories we have seen recently. In this case, it appears that criminals gained unauthorised access, which allowed them to extract data such as names, addresses, and passport details. It\’s a stark reminder of the risk that comes with cloud transformation – in the past this data would have been held on the hotel\’s own servers. In many ways, moving to the cloud has eroded the traditional perimeters that protected data, so companies need to make sure they have new security practices for the cloud.
Now this data has been stolen, and published on a hacking forum, criminals will be looking at how they use it to launch a new spate of attacks. It isn\’t financial information, so they can\’t cash it in right away, but the personal data of high profile individuals has its own value. The most likely form of attack we will see is impersonation attacks. Executives and CEOs who have had their data stolen should be asking if their organisation’s security is capable of defending against impersonation attacks, and must alert their companies to be on the lookout for any communications that may be using their personal details to impersonate them.