10.6 million MGM Resorts guests had personal info exposed in breach

• The sensitive personal information of more than 10.6 million people who stayed at MGM Resorts hotels has been published on a hacking forum.
• Impacted hotel guests include tourists, travelers, CEOs, government officials, and celebrities.
• Exposed information includes names, addresses, phone numbers, email addresses, and birth dates.
• The online tech publication ZDNet first reported the MGM Resorts data breach, working with security research firm Under the Breach.
• MGM Resorts confirmed the breach and said it notified affected guests when the breach was discovered during the summer of 2019.
• The exposed personal information likely affects hotel guests who stayed in the MGM Resorts hotels no later than 2017.

The personal information of more than 10.6 million hotel guests who stayed at MGM Resorts was exposed in a data breach.

Exposed data included names, addresses, phone numbers, dates of birth, and email addresses.
MGM Resorts confirmed the breach occurred in the summer of 2019. The hotel chain said affected hotel guests were promptly notified last year when the breach was discovered. It is believed that guests whose information was exposed stayed at MGM Resorts in 2017 and earlier.

What happened?

The MGM Resorts data breach was discovered in the summer of 2019, but the breach became public on February 20, 2020, when ZDNet published an article about the data security incident.

ZDnet contacted MGM Resorts, which confirmed the breach.

"Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts," MGM told ZDNet.

Information accessed in the breach was posted on a hacking forum this week. The hacker who released the information is believed to have ties to the hacking group GnosticPlayers.

GnosticPlayers posted more than 1 billion records on hacking forums in 2019, security researcher Irina Nesterovsky told ZDNet.

ZDNet contacted MGM Resorts with leaked guest data found on the hacking sight. MGM was able to match the information with data accessed in the summer 2019 data breach.

What data was exposed?

Here’s what information was exposed in the MGM Resorts breach.

• Full names
• Home addresses
• Phone numbers
• Email addresses
• Dates of birth

It has been reported by news sources that the MGM Resorts data breach did not include financial or payment card data, such as credit card numbers, or passwords.

MGM Resorts has brought in two cybersecurity forensics firms to conduct an internal investigation into the data breach, according the ZDNet article.

MGM Resorts data breach timeline

Here’s a timeline for how the MGM Resorts breach reportedly unfolded.

• Summer 2019. MGM Resorts discovers unauthorized access to a cloud server. The server contained a limited amount of guest information.
• Soon after. MGM Resorts notifies impacted guests about the data breach.
• Week of February 16, 2020. Personal information of 10.6 million hotel guests is published on a hacker forum.
• February 20, 2020. ZDNet and security firm Under the Breach confirm the data is authentic.
• February 20, 2020. MGM Resorts confirms the security incident occurred and says affected hotel guests were notified soon after the breach.

Who was impacted?

The MGM data breach illustrates how different types of data exposures can affect specific groups of people — much like a hospital data breach might affect patients.

MGM Resorts operates properties nationally, and many properties can be destinations for tourists, business travelers, convention attendees, and entertainers.

Here’s a partial list of the people who were impacted in the MGM breach.

• Tourists
• Travelers
• Celebrities
• Company executives and employees
• Government officials
• Media reporters and journalists
  

What are the risks?

In any data breach that exposes sensitive information, there is the possibility that cybercriminals will try to use the information to commit identity theft or fraud.

For instance, personal information from hotel guests can be used for spear fishing. That’s when a fraudster sends an email or text that includes personal details, making the message appear legitimate. The fraudster may try to trick the recipient into providing sensitive personal or financial information.

Guests might also face another risk: SIM card swapping. That’s when scammers hijack your cell phone number and use it to gain access to your sensitive personal data and accounts.

What should you do if you stayed at a MGM Resorts property?

Keep in mind that MGM Resorts says it already contacted guests affected by the breach.

In general, here are the steps you would typically take after learning your personal information may have been exposed in a data breach.

1. Confirm there was a breach and whether your information was exposed.
   
2. Find out what type of data was stolen.
3. Accept the breached entity's offers to help.
   
4. Change and strengthen your online logins, passwords and security Q&As.
5. Contact the right people and take additional action.
   

The MGM Resorts data breach is a reminder that you likely share your personal information with various companies when traveling for business or leisure. When exposed, that information could be used months or even years later to commit identity theft or other fraudulent activity against you.