In early 2020, there was a report that the MGM Grand resort in Las Vegas had experienced a major data breach. The personal information of about 10.6 million guests had been exfiltrated, going back an unknown number of years.
The wording of the report was always confusing. Some news articles named only the MGM Grand resort, which was plausible for a data breach dating back years given that the property has nearly 7,000 rooms (the largest amount in the United States) and is quite popular with Vegas tourists. However, other articles named parent company MGM Resorts International. This company operates many casino-hotels in a number of states, including nearly half of the properties on the Vegas Strip and a handful of properties in China.
A new discovery of over 142 million guest credentials on the dark web appears to confirm that the data breach nabbed information from a variety of MGM Resorts properties, not just the MGM Grand. ZDNet reporters found the information on sale for $2,939 USD in mid-July. MGM had previously contacted guests that were impacted by the data breach, but these new numbers indicated there may be over ten times as many that were not contacted and are not aware that their personal information has been compromised.
The MGM data breach: What’s the full story?
Initial reporting on the MGM data breach in February indicated that the exposed information was limited to contact details: full names, billing addresses, email addresses, and so on. The most sensitive item that was breached appeared to be birth dates. Financial information, social security numbers and details of hotel stays were reportedly not included. MGM confirmed that there was a breach, but would not confirm the exact number of credentials that were compromised.
The current crop of 142 million records was reportedly obtained from security firm DataViper. MGM retained DataViper, which is owned by Night Lion Security, as a breach monitoring service in the wake of the original data breach announcement. Night Lion owner Vinny Troia claimed that the new breach number was fictional and that this was concocted by a competitor to smear his company’s reputation. However, ZDNet reporting appears to confirm that the new guest information is legitimate. If it is, it would mean that MGM may have knowingly concealed the scope of the breach and failed to contact the vast majority of the impacted parties.
ZDNet also reports that there are unconfirmed rumors that as many as 200 million records are currently available through Russian-language underground hacking forums.
MGM data breach risks
If MGM is to be believed, the scope of the included personal information is somewhat limited. It sounds as if it may have come from the MGM “M Life” loyalty program or perhaps a basic marketing database. However, the real risk is when it is combined with other available information to forge convincing phishing or identity fraud attacks, as Yinglian Xie, CEO and Co-Founder of DataVisor, observes: “Breaches and dark web data are just the beginning of a downstream attack. As fraudsters get access to this data through the dark web, it gives them the tools to do more sophisticated downstream attacks. By creating synthetic identities, they can apply for credit cards, open fake accounts and take advantage of promotions or make fraudulent purchases, costing businesses millions in lost revenue.”
A particular problem with this data breach is that DataViper presumably had access to more credentials than just those from MGM. And the means by which the attackers breached their systems is concerning. According to Matt Keil, Director of Product Marketing at Cequence Security: ” … Data Viper, a purported security company, lost its database as a result of poor API secure coding practices – the developer left their credentials exposed in an API usage document. The scope of the breach and the technique used, highlight two areas of weak security practices. The first weakness is the fact that many of the databases collected by Data Viper were the result of poor cloud-based implementations – they had little or no access control and authentication configured, or the API keys were left exposed – so the data was freely accessible to anyone on the web. The second weakness is the developer error of leaving API credentials exposed, an all too common error made by many organizations that are moving (rapidly) to an API-based development methodology.”
There is also the possibility that more sensitive personal information may have been acquired in the breach. The exact wording in MGM’s response to the breach was that “most of” the compromised accounts consisted of only basic contact information. The company did not clarify if the exceptions had more potentially damaging information attached to them. Mark Bower, senior vice president for comforte AG, is among those that believe the problem may run deeper: “MGM’s breach, if accurate, is huge, calling once again for better data security practices for data in cloud systems from where the data appears to have been stolen. The initially reported breach from 2019 is reported to include driver’s license and passport information in the personal data set which falls under many regulatory frameworks including Nevada’s own SB220 privacy mandate, CCPA, GDPR and various other US state mandates.”
Even if the data breach only contains email addresses and phone numbers, it is enough information that breach subjects should expect to be targeted by scam and phishing attempts. The most concerning element is the inclusion of dates of birth, which can not only help to lend legitimacy to scam attempts but are also often incorporated into security checks.
The news about the expansion of the data breach comes at about the worst possible time for MGM, which is struggling to maintain adequate revenue during the Covid-19 pandemic. Outside of Macau, its properties were subject to closures that lasted as long as three months. Most have reopened at this point, but with limited amenities and bringing in much less business than is normal for the busy summer months.