MGM knew in February
New evidence shows that the 2019 MGM Resorts International data breach may have been significantly larger than initially believed. According to ZDNet, hackers appear to have the personal information of over 142 million hotel guests – 13 times more than the 10.6 million records that were reported in February of this year.
MGM has admitted that it knew the actual size of the data breach
This new figure comes from an ad posted on what ZDNet calls a “dark web cybercrime marketplace.” The hacker claims they have 142,479,937 guest records, offering them up for only $2,939.76.
MGM has admitted that it knew the actual size of the data breach, even though it only acknowledged the 10.6 million figure in February.
“MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation,” a company spokesperson told ZDNet. In “addressing” the situation, MGM means that it notified or attempted to notify customers who were impacted by the security failing.
Server owner disputes hacker’s claims
The hacker says that they obtained the MGM records by breaking into the servers of DataViper, a “data leak monitoring service” run by Night Lion Security. Night Lion’s founder, Vinny Troia, vehemently denies that it was his firm that was the hacker’s treasure trove, telling ZDNet that his company never even had MGM’s data.
On Monday, the hacker posted on a dark web site that they collected 8,225 databases during a three-month stint digging into DataViper’s servers. The person provided proof, including data samples.
ZDNet says that most of the databases the hacker listed were from previously known breaches. Troia says that that the hacker only accessed a test server and was likely selling their own data, not anything they got from DataViper.
All they had access to was a dev environment.”
“When people think they are above the law, they get sloppy,” Troia said in a formal statement. “So much so they forget to look at their own historical mistakes. I literally detailed an entire scenario in my book where I allowed them to gain access to my web server in order to get their IPs. They haven’t learned. All they had access to was a dev environment.”
No financial data exposed
Fortunately, it does not appear that any extremely sensitive MGM customer information was leaked. In February, the company said that the “vast majority” of the data consisted of basic personal information such as names, physical addresses, and e-mail addresses.
Financial information, social security numbers, reservation details, and other identification information were not part of the data haul. ZDNet verified the database contacts both in February and from the latest batch over the weekend. The IT news site used phone number and date of birth information to contact some of MGM’s customers to confirm the veracity of the data.
experts advise everyone to use two-factor authentication, strong, unique passwords, and other measures to beef up account security
Experts say that those affected by the data breach likely do not have to worry too much, as the information acquired is mostly readily available to the public, obtainable by a basic internet search. Thus, someone accessing a customer’s financial accounts or the like is improbable. That said, having all that information in one place does make the first steps in identity theft easier, so experts advise everyone to use two-factor authentication, strong, unique passwords, and other measures to beef up account security.