Avatar photo

Assistant editor, IFSEC Global

February 20, 2020

Sign up to free email newsletters


The Video Surveillance Report 2022

Cyber attack

MGM Resorts hit by cyber attack, leaking personal data of guests

There have been reports of a cyber attack, where personal data of 10.6 million guests staying at MGM Resorts hotel during the summer of 2019 may have been released by hackers.

MGMMGM has resorts across the America, including Las Vegas, Atlantic City and Detroit. It also has resorts in China and Japan and is currently building a new resort in Dubai.

MGM confirmed the attack to the BBC, after ZDNet reported that the hacked information was posted to a hacking forum, exposing names, addresses and passport numbers of the guests.

According to ZDNet, celebrities such as Justin Bieber and Twitter founder, Jack Dorsey, were among the guests that may have been hacked. However, MGM has not confirmed this.

1,300 guests were told that that more sensitive data, like passport numbers, were hacked and an additional 52,000 were told that less sensitive personal information was exposed. Despite this, cyber attackers are generally skilled in using the least sensitive data to target an individual online.

A spokesperson for MGM resorts said: “Last summer, we discovered unauthorised access to a cloud server that contained limited amount of information for certain previous guests of MGM Resorts.

“We are confident that no financial, payment card or password data was involved in this matter.”

In 2017, Marriott Hotels experienced a similar attack, when it had the information of 500 million guests hacked. This became the largest hacking of hotel guests.

Becky Nicholson, Data Privacy Expert working across multiple industries to assist organisations with data protection and data breach issues and also Consultant at Bridewell Consulting, commented:

“We are in danger of becoming numb to data breaches, due to the frequency and scale they are being reported. All organisations must take steps to protect their systems and ultimately customer data. This means taking basic steps such as putting in place regular security assessments, a strong patching and password policy, and enforcement of multi-factor authentication on every public facing system. These are not silver bullets but can go a long way to improving security.

“At this stage, it’s not clear how the hacker managed to gain access to MGM’s cloud server. However, technical defence is still paramount, and in particular, regular penetration testing is vital. It’s also just as important to test employee awareness. Employees will always be the weakest link but with the right education can be an organisation’s biggest asset in terms of defence. Such employee awareness training can also be measured by regular phishing or red team assessments” she added.

Ekaterina Khrustaleva, COO of web security company ImmuniWeb, also added: “This particular incident reportedly contains only the victims’ PII*, so it is not all that perilous or likely to be used for blackmailing. We should, however, not underestimate the overall impact of the breach. It provides a wide spectrum of efficient attack scenarios for cyber criminals, spanning from spear phishing to BEC and Whaling. Victims should be cautious about any incoming messages, calls or emails. Those whose passwords or secret answers can be inferred from the compromised data need to urgently consider changing their passwords and secret questions if they have not yet done so.”

“This data breach is comparatively insignificant in light of the exposed details. Almost every day, cyber criminals on various Dark Web marketplaces offer stolen data coming from hotels and resorts, and not that infrequently the data contains extremely sensitive information about guests’ preferences and stay.”

Register today for IFSEC 2023

16-18 May 2023, ExCeL London | IFSEC 2023: Recognising the past, embracing the future

Join thousands of likeminded security and risk professionals at IFSEC 2023 in May, as the UK's largest and longest running security event looks ahead to what's next in the sector as it celebrates its 50th birthday. This year will see the launch of the IFSEC distributor network, while London's new Elizabeth Line makes travel to the venue easier than ever!

You’ll find hundreds of leading exhibitors from the physical and integrated security sector, showcasing all the latest in video surveillance, access control, intruder detection, perimeter protection and software solutions. Join the community and secure your ticket today!


Related Topics

Notify of
Inline Feedbacks
View all comments