More than 10 million guests of the MGM Casino in Las Vegas have been implicated in a wide-sprawling data breach that hit the hotel several months ago.
News of the data breach was first broken by ZDNet’s Catalin Cimpanu who says that the personal information of more than 10 million guests was published on a hacking forum discovered earlier this week.
“Besides details for regular tourists and travelers, including in the leaked files are also personal and contact details for celebrities, tech CEOs, reporters, government officials and employees at some of the world’s largest tech companies.” The data listed includes full names, home addresses, phone numbers, emails and dates of birth of a massive amount of people, including Twitter’s founder, Jack Dorsey, and entertainer Justin Beiber and even some TSA officials.
The author states that ZDNet has verified the authenticity of the data dump listed online with the help of security research collective, Under the Breach, and a spokesperson for MGM Resorts has also confirmed the hack via email.
“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” the spokesperson told ZDNet.
“We are confident that no financial, payment card or password data was involved in this matter,” they added, assuring reporters that all impacted hotel guests were informed of the breach “in accordance with applicable state laws.”
The BBC is writing that “approximately 1,300 former guests were notified that more sensitive information including passport numbers had been revealed.”
A majority of the United States data laws do not require the immediate disclosure of a data breach, in contrast to Europe’s GDPR legislation which stipulates an organisation must disclose the nature and scope of a data breach within days of becoming aware of it.
“At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again,” they said.
Irina Nesterovsky, head of research at KELA, a threat-intelligence firm, the data swept up in the breach has been floating around several hacking forums since July, 2019. “The hacker who released this information is believed to have an association, or be a member of GnosticPlayers, a hacking group that has dumped more than one billion user records throughout 2019,” according to the report.