MGM Resorts says data breach exposed some guests' data

Michael Levenson, The New York Times

Posted at Feb 20 2020 11:33 AM

MGM Resorts says data breach exposed some guests' data 1
An MGM Resorts hotel lobby is shown in this photo from the company's Facebook page. MGM said on Feb. 19, 2020 that it was the victim of a data breach last year

MGM Resorts International, the casino and hotel giant, acknowledged Wednesday that it was the victim of a data breach last year, the latest company to have the personal information of its customers exposed.

MGM did not disclose the number of customers affected, but Under the Breach, a firm that monitors cybercrimes and provides intelligence about potential data breaches to companies, said 10.6 million people were affected.

Under the Breach said several high-profile guests at MGM properties had their email addresses, phone numbers and physical addresses exposed, including one guest with the same name as Jack Dorsey, Twitter’s chief executive.

Twitter declined to comment Wednesday night.

MGM Resorts said the vast majority of those affected had “phone book information” breached such as name, phone number and address. About 1,300 individuals had more sensitive data — from their driver’s licenses, passports or military ID cards — exposed, MGM said.

“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” MGM Resorts International said in a statement. “We are confident that no financial, payment card or password data was involved in this matter.”

MGM Resorts said it had promptly notified guests potentially affected by the breach in accordance with state laws. MGM did not disclose who had breached the data, but said it had worked with law enforcement to investigate. The company also hired two cybersecurity firms to investigate, review and help fix the breach.

“At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again,” the company said.

MGM Resorts publicly acknowledged the breach after ZDNet, a technology news website, published a report Wednesday detailing how the personal information of guests had been posted on a hacking forum.

The MGM breach followed a spate of attacks on the American hospitality industry, which included the hack of the Marriott hotel chain in 2018. That breach compromised data on roughly 500 million hotel guests.

Hotel chains and travel companies have been a major target for Chinese espionage, in particular, because of the vast troves of data they store on American executives and government officials with security clearances.

© 2020 The New York Times Company