MGM Resorts hack affected a reported 10.6M former guests

MGM Resorts International has released a statement confirming the company was hacked last summer, with certain information — including some guests’ drivers license and passport information — stolen from a cloud server.

ZDnet first reported on Wednesday that personal details for more than 10.6 million former hotel guests were affected. MGM declined to confirm the actual number of affected guests because the data included many duplicates.

Hotels and other businesses in the hospitality industry are being targeted by hackers because they “store vast treasure troves” of guest data, according to Scott Watnik, a partner at Wilk Auslander and co-chair of the New York firm’s cybersecurity practice.

“This is becoming all too common,” he said.

Threat to guests

An MGM spokesperson confirmed that the company discovered someone had gained unauthorized access to “a limited amount of information for certain previous guests of MGM Resorts.”

After discovering the security breach, the company notified potentially impacted guests.

In total, there were about 52,000 people notified about the hack in accordance with applicable state laws. Many of those were from South Dakota, which has a law requiring notification for most hacks. Roughly 1,300 of those had sensitive data such as a driver’s license or passport information involved in the hack.

The spokesperson said the company is confident no financial, payment or password data was involved, and the majority of the data taken included information such as names and phone numbers.

But Watnik said hackers can still do “tons of damage” with that information.

“Even if someone has your name and phone number and nothing else, that could lead to serious consequences, ” he said.

This includes spear phishing — when a hacker uses a trusted email address to get confidential information from their contacts — as well as SIM swapping — when a hacker uses a cellphone number to convince a wireless carrier to switch a phone number to a SIM card they control.

Watnik suggested guests impacted by the hack change security passcodes, make sure their financial institutions are on the lookout for any suspicious activity or withdrawals, notify their cellphone carrier of the hack to avoid a SIM swapping scam and change their email address.

More to come

After discovering the security breach, MGM brought in two cybersecurity forensics firms to assist with an internal investigation, review and remediation of the issue.

“At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again,” according to the spokesperson.

Watnik said the company did well in complying with breach notification statutes.

“They got in quick in an attempt to mitigate the damage and implement additional security measures,” he said. “But one could say it was too little, too late.”

Michael Phillips, chief claims officer at San Francisco-based cybersecurity company Arceo AI, said it’s possible MGM did everything right and still fell prey to hackers.

“Unfortunately, hacking the hospitality industry is a favorite of sophisticated cyber criminals and nation-state actors,” he said. “Cloud-based data breaches are becoming increasingly common as businesses of all sizes and types move their key operations and customer databases to the cloud.”

Other hospitality companies like Marriott and the Trump Hotel Collection have been hacked. Watnik said there will likely be more to come.

“Large corporations have to be hypervigilant,” he said. “These (hackers) are very sophisticated. … I think we’re going to keep seeing more and more of this.”

Contact Bailey Schulz at bschulz@reviewjournal.com or 702-383-0233. Follow @bailey_schulz on Twitter.