A data breach involving the theft of customer records from MGM Resorts International last year may have been much larger than initially thought, with some 142 million allegedly hacked MGM customer records found for sale on the shady part of the internet known as the dark web.
The data breach was discovered in February when some 10.6 million MGM customer records were found online. MGM confirmed the news, saying at the time that the hack took place in summer 2019 and that it involved “unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts.”
The initial data found in February included full names, addresses, phone numbers, dates of birth, email addresses and in some cases passport and drivers license numbers. Some of the records included government officials, chief executive officers and others, notable among them Twitter Inc. Chief Executive Jack Dorsey and singer Justin Bieber.
According to ZDNet, a hacker known as NightLion listed more than 142 million MGM hotel guest records for sale at a price of $2,900 on a dark web site over the weekend. NightLion is the same hacker who alleges to have stolen some 8,200 databases containing the information of billions of users in breach databases from DataViper late last week and is claiming that he obtained the MGM database from DataViper.
In the case of DataViper, company owner Vinny Troia claimed that the hacker gained access only to a test instance and that the databases being offered were the hacker’s own and not stolen information. In this case, Troia told ZDNet, his company has never owned a copy of the MGM database and the hacker is trying to ruin his reputation.
The claims from Troia combined with MGM never providing the exact number of records stolen in the hack make it difficult to ascertain whether the 142 million alleged records offered for sale are legitimate.
“MGM’s breach, if accurate, is huge, calling once again for better data security practices for data in cloud systems from where the data appears to have been stolen,” Mark Bower, senior vice president, at data security services company comforte AG, told SiliconANGLE. “The new breach of 142 million records, despite being limited to names and addresses, can still be considered personal data with substantial financial ramifications under the mix of jurisdictions. This will likely trigger even deeper increased scrutiny and concern from a variety of regulators over privacy handling practices and specifically data security.”
Casey Kraus, president of serverless security firm Senserva, noted that even if no financial information is contained in the data breach, it still exposes millions of people worldwide to possible risk as well as organizations that they work for.
“The information contained could be used to try to gain entry into corporate networks where further damage can be done outside of just the individual,” Kraus said. “Without being able to identify how the breach occurred and help others better secure their environments, similar incidents are bound to be repeated.”
Paul Bischoff, privacy advocate at tech research company Comparitech Ltd., warned that “MGM Hotel guests should be on the lookout for targeted scams and phishing messages from fraudsters.
“These attacks might come via phone or email and might include information such as your name and address in order to make them more personalized and convincing,” Bischoff said. “Never click on links in unsolicited emails, check the spelling of the sender’s email domain and be sure to verify the sender before responding using contact information found through a Google search.”
Photo: Zereshk/Wikimedia Commons
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.