MGM Resorts has confirmed there was unauthorized access to one of the company’s cloud servers in 2019 that contained information on a reported 10.6 million guests, possibly including several high-profile guests.

MGM did not confirm the number of people involved, but ZD Net working with the new security firm Under the Breach reportedly found data on 10,683,188 that SC Media was able to confirm included full names, home addresses, phone numbers, emails, and dates of birth, posted to a hacking forum.

“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter,” MGM Resorts told SC Media in a statement.

The company believes no financial data or passwords were included in the data dump, adding it has informed the customers involved.

However, Ray Walsh, data privacy advocate at ProPrivacy, said some customers did have more sensitive data exposed.

“MGM Resorts has claimed that no financial, card payments or passwords were stolen during the breach. However, it would appear that at least 1,300 individuals had extremely sensitive data stolen during the incident – including personal information from their driver’s license, passport, and even military ID cards,” he said.

The company did not say exactly how or why the cloud server was exposed, but Matt Walmsley, EMEA Director at Vectra, believes is likely one of the normal causes behind such breaches.

“MGM has acknowledged a cloud ‘server exposure’. This could have easily been caused from poor cloud configuration and security hygiene, or from offensive attacker behaviors. As practitioners, we need to stop treating cloud separately from a security perspective,” he said.

MGM Resorts said it promptly notified guests potentially impacted by this incident in accordance with applicable state laws, retained two cybersecurity forensics firms to assist with its internal investigation, review and remediation of the issue.

The fact that the breach happened about seven months ago without any public disclosure may have led MGM to believe the data was not going to be used by the thieves, but as with many breaches malicious actors sometimes wait months or years to tip their hand, said Adam Laub, CMO, STEALTHbits Technologies:

“This is a great example of how these breaches and their fallout can continue to haunt businesses for quite some time. It’s likely MGM thought this incident was far in the rear view, but the value of their particular dataset continues to have appeal, despite its age and the potential staleness in certain spots,” Laub said.

Hotel chains and travel companies were major targets for cybercrimials in 2019 with several being hit with Magecart card skimming malware and others suffering from exposed cloud servers like MGM Resorts.

  • Choice Hotels in August 2019 had an open MongoDB database discovered with information on 700,000 customers being taken and then held for ransom.
  • Two unnamed hotel chains discovered Magecart on their third-party online booking software.
  • In May 2019 it was found the Pyramid Hotel Group stored security info on openly accessible Elasticsearch server with 85.4GB of data.
  • A bug in the Amadeus online reservation system which is used by 44 percent of the international air carrier market made it possible to access and change reservations with just a booking number.