[BreachExchange] A hacker is selling details of 142 million MGM hotel guests on the dark web

Tue Jul 14 10:13:40 EDT 2020

https://www.zdnet.com/article/a-hacker-is-selling-details-of-142-million-mgm-hotel-guests-on-the-dark-web/

The MGM Resorts 2019 data breach is much larger than initially
reported, and is now believed to have impacted more than 142 million
hotel guests, and not just the 10.6 million that ZDNet initially
reported back in February 2020.

The new finding came to light over the weekend after a hacker put up
for sale the hotel's data in an ad published on a dark web cybercrime
marketplace.

According to the ad, the hacker is selling the details of 142,479,937
MGM hotel guests for a price just over $2,900.

The hacker claims to have obtained the hotel's data after they
breached DataViper, a data leak monitoring service operated by Night
Lion Security.

Vinny Troia, founder of Night Lion Security, told ZDNet in a phone
call that his company never owned a copy of the full MGM database and
that the hackers are merely trying to ruin his company's reputation.

MGM SAYS IT NOTIFIED ALL IMPACTED USERS

Reached out for comment on Sunday, MGM Reports issued a statement
claiming they were aware of the scope of the breach.

The MGM breach occurred in the summer of 2019 when a hacker gained
access to one of the hotel's cloud servers and stole information on
the hotel's past guests.

This archived TechRepublic Premium report, originally published in
November 2013, is available for free to registered TechRepublic
members. For all the latest research reports, 100+ ready-made
policies, IT job descriptions, and more, check out TechRepubli...

Research provided by TechRepublic Premium

MGM learned of the incident last year, but never made the security
breach public, but notified impacted customers, according to local
data breach notification laws.

The security breach came to light in February 2020 after a batch of
10.6 million MGM hotel guests' data was offered as a free download on
a hacking forum. At the time, MGM admitted to suffering a security
breach, but the company didn't disclose the full breadth of the
intrusion.

"MGM Resorts was aware of the scope of this previously reported
incident from last summer and has already addressed the situation," an
MGM spokesperson told ZDNet in an email today, referring to the
company's efforts to notify impacted users.

An MGM spokesperson also pointed out that "the vast majority of data
consisted of contact information like names, postal addresses, and
email addresses."

Financial information, ID or Social Security numbers, and reservation
(hotel stay) details were not included, MGM said in February, which
ZDNet is able to confirm after reviewing two different batches of MGM
data -- the 10.6 million user records leaked in February and a newer
20 million batch shared by the hackers on Sunday.

Dates of birth and phone numbers were also included, which is how we
were able to confirm the breach in the first place, by contacting past
hotel guests.

BIGGER THAN 142 MILLION?

However, the MGM data could be even bigger than the 142 million count
we have today.

Irina Nesterovsky, Head of Research at threat intel firm KELA, told
ZDNet back in February that the MGM data had been circulating and was
being sold in private hacking circles since at least July 2019.

Posts on Russian-speaking hacking forums promoted the MGM data breach
as containing details on more than 200 million hotel guests.