Personal Details Of 10.6M MGM Hotel Guests Posted On A Hacking Forum – Cybersecurity Experts React

Cybersecurity experts commented tonight on breaking news that the personal details of more than 10.6 million users who stayed at MGM Resorts hotels have been published on a hacking forum this week. Besides details for regular tourists and travelers, included in the leaked files are also personal and contact details for celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies.

Experts Comments

February 24, 2020
Thorsten Geissel
Director Sales Engineering
Tufin
This breach is significant and the dumping of a treasure trove of customer details once again underlines the importance of having the same security levels for data that’s on premise, as for data stored in the cloud, to reduce the risks associated with hacks such as this. It’s a near-universal challenge for enterprises: the move to hybrid environments and more complex, fragmented networks makes it even harder to keep control. Without consistent policies you can pretty soon have a tangle of.....Read More
This breach is significant and the dumping of a treasure trove of customer details once again underlines the importance of having the same security levels for data that’s on premise, as for data stored in the cloud, to reduce the risks associated with hacks such as this. It’s a near-universal challenge for enterprises: the move to hybrid environments and more complex, fragmented networks makes it even harder to keep control. Without consistent policies you can pretty soon have a tangle of security gaps and compliance violations.  Read Less
February 21, 2020
Becky Nicholson
Data Privacy Consultant
Bridewell Consulting
We are in danger of becoming numb to data breaches, due to the frequency and scale they are being reported. All organizations must take steps to protect their systems and ultimately customer data. This means taking basic steps such as putting in place regular security assessments, a strong patching and password policy, and enforcement of multi-factor authentication on every public-facing system. These are not silver bullets but can go a long way to improving security. At this stage, it’s not .....Read More
We are in danger of becoming numb to data breaches, due to the frequency and scale they are being reported. All organizations must take steps to protect their systems and ultimately customer data. This means taking basic steps such as putting in place regular security assessments, a strong patching and password policy, and enforcement of multi-factor authentication on every public-facing system. These are not silver bullets but can go a long way to improving security. At this stage, it’s not clear how the hacker managed to gain access to MGM’s cloud server. However, technical defense is still paramount, and in particular, regular penetration testing is vital. It’s also just as important to test employee awareness. Employees will always be the weakest link but with the right education can be an organization’s biggest asset in terms of defense. Such employee awareness training can also be measured by regular phishing or red team assessments.  Read Less
February 21, 2020
Tal Zamir
Founder and CTO
Hysolate
This is yet another example of attackers having the upper hand. Defenders have to protect a huge attack surface with multiple points of failure. The biggest gap relates to users and their devices. With over 5.7 million source code files and 50+ million lines of code (estimate), it’s almost impossible to successfully defend the operating system (OS) running on a user’s device. For this very reason, Microsoft is now recommending that users leverage an isolated and dedicated OS to conduct.....Read More
This is yet another example of attackers having the upper hand. Defenders have to protect a huge attack surface with multiple points of failure. The biggest gap relates to users and their devices. With over 5.7 million source code files and 50+ million lines of code (estimate), it’s almost impossible to successfully defend the operating system (OS) running on a user’s device. For this very reason, Microsoft is now recommending that users leverage an isolated and dedicated OS to conduct sensitive or privileged tasks, and another isolated OS to conduct their daily corporate/personal tasks. There are two ways to accomplish this - physical air gaps via two physically separated devices, or, virtual air gaps which leverage virtualization to isolate two or more operating systems on one physical device.  Read Less
February 20, 2020
Adam Laub
CMO
STEALTHbits Technologies
This is a great example of how these breaches and their fallout can continue to haunt businesses for quite some time. It’s likely MGM thought this incident was far in the rear view, but the value of their particular dataset continues to have appeal, despite its age and the potential staleness in certain spots. Something every organization can do to mitigate the risk of unauthorized access to sensitive data is to proactively seek its whereabouts. Knowing where it is should and often does.....Read More
This is a great example of how these breaches and their fallout can continue to haunt businesses for quite some time. It’s likely MGM thought this incident was far in the rear view, but the value of their particular dataset continues to have appeal, despite its age and the potential staleness in certain spots. Something every organization can do to mitigate the risk of unauthorized access to sensitive data is to proactively seek its whereabouts. Knowing where it is should and often does lead to another series of important questions such as who has access to it, who is accessing it, how often is it being accessed, and is it even needed in the first place? This sort of practice is becoming much more commonplace due to regulations such as the EU GDPR and California’s CCPA, which is a good direction for organizations to be headed in to avoid situations like these.  Read Less
February 24, 2020
John Perry
CEO
Bluefin
Last summer, MGM discovered unauthorized access to a cloud server that contained guest information. The issue with MGM and similar breaches is that businesses are not adequately securing consumer data – whether in the cloud, in their network or at the point of intake – leaving personal information in the 'clear' and just waiting to be stolen. Companies need to devalue this data with security technologies like encryption and tokenization, otherwise these compromises will continue to happen
February 24, 2020
Robert Prigge
CEO
Jumio
Unfortunately, users’ data being exposed and made available to a wide range of bad actors is so commonplace in today’s connected world. Organisations who hold any personal data of their customers must really improve their protection of such data. There are technologies available today which can be used in a multifaceted security strategy. There is much “talk” about Zero Trust strategy. Organisations need to be taking action to move towards this as a priority. Security Analytics and.....Read More
Unfortunately, users’ data being exposed and made available to a wide range of bad actors is so commonplace in today’s connected world. Organisations who hold any personal data of their customers must really improve their protection of such data. There are technologies available today which can be used in a multifaceted security strategy. There is much “talk” about Zero Trust strategy. Organisations need to be taking action to move towards this as a priority. Security Analytics and Automation will provide the right foundations for delivering on Zero Trust and provide better security for their customers’ data as well as the organisations critical data and Intellectual Property.  Read Less
February 21, 2020
Peter Draper
Technical Director, EMEA
Gurucul
Unfortunately, users’ data being exposed and made available to a wide range of bad actors is so commonplace in today’s connected world. Organisations who hold any personal data of their customers must really improve their protection of such data. There are technologies available today which can be used in a multifaceted security strategy. There is much “talk” about Zero Trust strategy. Organisations need to be taking action to move towards this as a priority. Security Analytics and.....Read More
Unfortunately, users’ data being exposed and made available to a wide range of bad actors is so commonplace in today’s connected world. Organisations who hold any personal data of their customers must really improve their protection of such data. There are technologies available today which can be used in a multifaceted security strategy. There is much “talk” about Zero Trust strategy. Organisations need to be taking action to move towards this as a priority. Security Analytics and Automation will provide the right foundations for delivering on Zero Trust and provide better security for their customers’ data as well as the organisations critical data and Intellectual Property.”  Read Less
February 21, 2020
Ed Macnair
CEO
Censornet
Cloud servers have been a consistent feature in many of the biggest data breach stories we have seen recently. In this case, it appears that criminals gained unauthorised access, which allowed them to extract data such as names, addresses, and passport details. It's a stark reminder of the risk that comes with cloud transformation - in the past this data would have been held on the hotel's own servers. In many ways, moving to the cloud has eroded the traditional perimeters that protected data,.....Read More
Cloud servers have been a consistent feature in many of the biggest data breach stories we have seen recently. In this case, it appears that criminals gained unauthorised access, which allowed them to extract data such as names, addresses, and passport details. It's a stark reminder of the risk that comes with cloud transformation - in the past this data would have been held on the hotel's own servers. In many ways, moving to the cloud has eroded the traditional perimeters that protected data, so companies need to make sure they have new security practices for the cloud. Now this data has been stolen, and published on a hacking forum, criminals will be looking at how they use it to launch a new spate of attacks. It isn't financial information, so they can't cash it in right away, but the personal data of high profile individuals has its own value. The most likely form of attack we will see is impersonation attacks. Executives and CEOs who have had their data stolen should be asking if their organisation’s security is capable of defending against impersonation attacks, and must alert their companies to be on the lookout for any communications that may be using their personal details to impersonate them.  Read Less
February 21, 2020
Patrick Martin
Senior Threat Intelligence Analyst
Skurio
Cloud-based servers should be regularly checked for who has read and write permissions and be modified accordingly, as appropriate. For a bad actor to access or exfiltrate data they need credentials or to take advantage of an ‘open door’ which has been left unlocked. BinaryEdge, Shodan and many other tools make it easy to find these open containers. This sort of activity can be thwarted just by regularly checking those correct permissions are in place. However, for those instances when the.....Read More
Cloud-based servers should be regularly checked for who has read and write permissions and be modified accordingly, as appropriate. For a bad actor to access or exfiltrate data they need credentials or to take advantage of an ‘open door’ which has been left unlocked. BinaryEdge, Shodan and many other tools make it easy to find these open containers. This sort of activity can be thwarted just by regularly checking those correct permissions are in place. However, for those instances when the security has been bypassed there are mitigating steps organisations can take to monitor for data that’s being breached, discussed, shared or sold: by proactively monitoring for leaks or misuse of the data stored in publicly accessible databases or, in MGM's case, the dark web. This incident also highlights the importance of speed when mitigating digital risk; watermarking data with unique synthetic identities can enable organisations to detect these threats immediately and be the first to find out if their data is available online, before someone else does. Setting up email listeners for these watermark identities can detect a breach before the data is shared online, if the hacker is testing for valid addresses.  Read Less
February 21, 2020
Robert Ramsden Board
VP EMEA
Securonix
Given the sensitive nature of the information exposed in this leak, and the fact that this database has been discovered on a criminal hacking site, the security and privacy consequences for those whose data had been exposed could be huge. Individuals affected will incur a heightened risk of experiencing threats such as identity theft and phishing scams. Affected individuals should be hyper aware of any suspicious communications and be vigilant. In order to protect sensitive information,.....Read More
Given the sensitive nature of the information exposed in this leak, and the fact that this database has been discovered on a criminal hacking site, the security and privacy consequences for those whose data had been exposed could be huge. Individuals affected will incur a heightened risk of experiencing threats such as identity theft and phishing scams. Affected individuals should be hyper aware of any suspicious communications and be vigilant. In order to protect sensitive information, enterprises should ensure that they are using the latest security tools to isolate and mitigate anomalous behaviour in their networks before it has catastrophic consequences.  Read Less
February 21, 2020
Sam Curry
Chief Security Officer
Cybereason
The latest news from MGM shouldn’t come as a surprise: the hospitality industry has a target on its back given the treasure trove in its systems. Hackers derive enormous value for what’s called Beds-and-Heads, the logistical information that allows the inference of material information across the board. With upwards of 11 million customers impacted by this latest breach, we have yet another reminder that cybercriminals are persistent, and it is only a matter of time before determined.....Read More
The latest news from MGM shouldn’t come as a surprise: the hospitality industry has a target on its back given the treasure trove in its systems. Hackers derive enormous value for what’s called Beds-and-Heads, the logistical information that allows the inference of material information across the board. With upwards of 11 million customers impacted by this latest breach, we have yet another reminder that cybercriminals are persistent, and it is only a matter of time before determined nation-states or rogue hacking groups find a way into any network they choose. It’s tempting to look at the MGM as less significant than the Marriott breach, which affected 500 million customers, but smaller breaches are no less serious than larger for the victims. The biggest concern in the MGM disclosure is that hackers stole deeper, more sensitive data on 1300 individuals, including information off driver’s licenses and military ID cards. While it is too early to speculate, there is the possibility the theft that appears to have impacted 11 million customers is a diversion for a specific, strategic attack to access information on influencers in government, law enforcement, politics and the public and private sector. That’s not to say that the larger set isn’t suffering but rather that their suffering is a callous digital ‘collateral damage’ covering the more focused and motivated compromise like an assassin throwing a grenade into a crowd on a busy street to cover their true intention. Cybereason’s recent investigation into a massive global espionage campaign against 10 telecommunications companies, dubbed ‘Operation SoftCell,’ highlights the desire that China and other nation-states have to track the whereabouts of influencers across the world without regard to losses of innocent, violated by-standers. The most troubling outcome is that none of the victims are aware they are being tracked. Going forward, expect more targeted, strategic attacks to become the norm and more digital collateral damage by callous, motivated aggressors.  Read Less
February 21, 2020
Jonathan Knudsen
Senior Security Strategist
Synopsys
If we’ve learned anything from decades of data breaches, it’s that any organisation can be a target. Information has always been valuable, but now that it is falling-off-a-log easy to duplicate and transmit vast volumes of information, protection for data needs to evolve. Taking a proactive approach to security is the best way to reduce the risk of unpleasantness. A proactive approach means thinking about security at every phase of the design and implementation of systems. One valuable.....Read More
If we’ve learned anything from decades of data breaches, it’s that any organisation can be a target. Information has always been valuable, but now that it is falling-off-a-log easy to duplicate and transmit vast volumes of information, protection for data needs to evolve. Taking a proactive approach to security is the best way to reduce the risk of unpleasantness. A proactive approach means thinking about security at every phase of the design and implementation of systems. One valuable activity in the design phase is threat modeling, in which you examine the system design and imagine various ways an attacker could compromise it. Based on the results of that threat model, update the design with security controls that help mitigate the risk of attack. Using threat modeling, for example, could reveal that a compromise of a database server would reveal all its contents. Armed with this knowledge, you might implement a defense-in-depth approach to protecting your data by implementing tighter access control and encrypting the database or (better yet) encrypting individual records. Any system can be compromised, but the goal is to make the cost of breaking in greater than the possible rewards.  Read Less
February 21, 2020
Matt Walmsley
EMEA Director
Vectra
MGM has acknowledged a cloud “server exposure”. This could have easily been caused by poor cloud configuration and security hygiene, or from offensive attacker behaviors. As practitioners, we need to stop treating cloud separately from a security perspective. As organizations increasingly use the cloud to underpin digital transformation, it is critical that security operations teams have the ability to pervasively detect and respond to attacks and unauthorized access wherever they.....Read More
MGM has acknowledged a cloud “server exposure”. This could have easily been caused by poor cloud configuration and security hygiene, or from offensive attacker behaviors. As practitioners, we need to stop treating cloud separately from a security perspective. As organizations increasingly use the cloud to underpin digital transformation, it is critical that security operations teams have the ability to pervasively detect and respond to attacks and unauthorized access wherever they happen. Attackers don’t operate in silos of local mobile, network, data centers, or cloud - neither should our security capabilities.  Read Less
February 21, 2020
Niels Schweisshelm
Technical Program Manager
HackerOne
When customers are made aware that their details may have been exposed, they must also take responsibility to update passwords that they might be using on multiple sites and stay vigilant for potential scams. While the cloud has many benefits, when moving to the cloud, it’s important that developers have a clear change management process in place when pushing data to a live environment as the most impactful bugs affect cloud platforms, with incorrect configurations leading to information.....Read More
When customers are made aware that their details may have been exposed, they must also take responsibility to update passwords that they might be using on multiple sites and stay vigilant for potential scams. While the cloud has many benefits, when moving to the cloud, it’s important that developers have a clear change management process in place when pushing data to a live environment as the most impactful bugs affect cloud platforms, with incorrect configurations leading to information disclosure vulnerabilities that can be used to obtain sensitive information.As in this case, no matter how dedicated your internal team, they aren’t always looking at security in the same way an external attacker would and, therefore, the best way to augment your existing resources is to engage ethical hackers who will be running the same checks as the criminals, reporting any vulnerability, such as mis-configured cloud storage volumes leaking sensitive data. It used to be that you had to notify cloud providers before you could run a security test, letting them know the pentester’s details, the date of testing, and the time frame. However, this no longer applies, and it’s easy to have cloud-hosted environments in scope for security testing.  Read Less
February 21, 2020
Jake Moore
Cybersecurity Specialist
ESET
This sort of data is a honey pot for cyber criminals. When personal information such as this is leaked it becomes very sought-after, especially when it includes contact details for a number of high profile users such as celebrities. All the users on this list should now be concerned about the increased risk of further attacks such as targeted phishing emails, or worse still, falling victim to SIM swapping. This is when cyber criminals use social engineering to manipulate mobile network.....Read More
This sort of data is a honey pot for cyber criminals. When personal information such as this is leaked it becomes very sought-after, especially when it includes contact details for a number of high profile users such as celebrities. All the users on this list should now be concerned about the increased risk of further attacks such as targeted phishing emails, or worse still, falling victim to SIM swapping. This is when cyber criminals use social engineering to manipulate mobile network providers into porting your phone number to a new SIM. Attackers can then change two-factor authentication (2FA) codes and get into online accounts bypassing passwords.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts