The personal data of more than 10.6 million previous MGM Resorts guests has been leaked to the public last year, according to a new report by the tech media group ZDNet. This comes the very same day as a separate report by the cloud security and compliance firm DivvyCloud found that cloud misconfiguration is a growing cause for data breaches around the world—strongly suggesting a cause behind the MGM Resorts breach.
The DivvyCloud report reveals that there is a rapidly growing trend of data breaches being caused by cloud misconfiguration, and that the resulting exposure of 33.4 billion records between 2018 and 2019 has seen a total cost to companies of up to $5 trillion globally.
The data breach at the MGM Resorts occurred over the very same time period as the rise in breaches due to cloud misconfiguration, suggesting a possible causal relationship. Furthermore, an official statement by MGM Resorts claim that the data breach was initiated via hackers having gained access to the hotel group’s cloud servers—further supporting the idea that cloud misconfiguration was ultimately responsible for the leak.
MGM Resorts sees its biggest-ever leak
According to the reporting of Catalin Cimpanu of ZDNet, the full names, residential addresses, mobile phone numbers, email addresses and dates of birth of more than 10.6 million guests who stayed at MGM Resorts were dumped onto a hacking forum around mid-2019.
Many of the guests whose details were leaked include high profile figures including celebrities, Silicon Valley CEOs, reporters and government officials. The biggest names in the list include Twitter’s chief executive Jack Dorsey and celebrity singer Justin Bieber.
MGM Resorts confirmed the mass data leak to ZDNet. They added that they had alerted all of the hotel guests who were impacted around August last year in accordance with the relevant state laws.
The hotel chain is currently in the process of working with cybersecurity forensic firms to determine the origin of the data leak, and they are actively trying to take steps to mitigate the risk of future attacks, the report claims.
The report also goes on to point out that while MGM Resorts had tried to keep the data leak under wraps, the data itself had all the while been freely available on a hacking forum online. The data dump was later detected by an upcoming breach detection service, Under the Breach, which, in turn, alerted ZDNet security reporters.
Cloud misconfiguration on the rise
The MGM Resorts data breach is highly relevant in light of the concurrent DivvyCloud report on the risks of cloud misconfiguration which—like the report on the data leak—hit the press on 19 February.
According to DivvyCloud researchers, not only does the number of records exposed by cloud misconfigurations stand at 33 billion, but that cloud misconfigurations rose by as much as 80% between the two years of 2018 and 2019 alone, of which S3 bucket misconfigurations accounted for 16% of total breaches. The researchers also expect that this trend is likely to persist as companies continue to take improper security measures being taken at corporations.
Interestingly, the paper also found that 68% of companies affected were founded before 2010, whereas just short of 7% were founded in 2015 or after. This suggests a strong correlation between the age of companies and the likelihood of them misconfiguring their cloud servers.
The research found that the technology industry suffered the most breaches, while hospitality, finance, retail, education, and business services suffered the fewest.
The study also reveals that mergers and acquisitions (M&As) between companies result in a higher likelihood of cloud server breaches occurring, with nearly 42% of companies studied having undergone M&As during the study period.
A likely link
The MGM Resorts data breach bears a considerable measure of similarity with the trends identified by DivvyCloud pertaining to cloud misconfiguration as leading to exposure to data breaches.
MGM Resorts, for one, have admitted that the data leak came as a result of issues pertaining to their cloud server. According to a spokesperson questioned by ZDNet, “last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts.”
“We are confident that no financial, payment card or password data was involved in this matter,” the spokesperson added.
While MGM Resorts have thus far not provided any more information as to the technical origins of the leaks—other factors pertaining to the DivvyCloud study support the notion that the leaks occurred as a result of cloud misconfiguration.
MGM Resorts, for example, was founded in 1986. This places them firmly in the correlative category of being at higher risk of cloud server related breaches due to the fact that their internal IT infrastructure is well-established, extensive and inflexible.
Furthermore, the company has undergone numerous high-profile M&As and joint ventures over the course of last two years, including with the UK gambling giant GVC Holdings in 2018, and with both the Yonkers Raceway & Empire City Casino and Sydell Group in 2019. According to DivvyCloud, the merging of distinct IT environments in M&As such as these can often lead to new vulnerabilities and an increased likelihood of security threats.
While it is still unconfirmed as of yet, when all things are taken into account, the evidence on the matter seems to strongly suggest that a cloud misconfiguration was ultimately responsible for last year’s MGM Resorts data leak.