10.6 million people who had stayed at MGM Resorts have had their personal data published on a hacking forum, it was revealed this week. According to ZD Net the leaked personal data included names, addresses, phone numbers, emails and dates of birth.
It is thought that the recent breach stems from an earlier incident which occurred last year, whereby unauthorised actors were able to access MGM’s internal cloud and therefore the personal information of previous guests.
Several cybersecurity professionals have commented on the news of this widespread data breach:
Peter Draper, technical director EMEA at Gurucul:
“Unfortunately, users’ data being exposed and made available to a wide range of bad actors is so commonplace in today’s connected world.
Organisations who hold any personal data of their customers must really improve their protection of such data.
There are technologies available today which can be used in a multifaceted security strategy. There is much “talk” about Zero Trust strategy. Organisations need to be taking action to move towards this as a priority. Security Analytics and Automation will provide the right foundations for delivering on Zero Trust and provide better security for their customers’ data as well as the organisations critical data and Intellectual Property.”
Hugo van den Toorn, manager of offensive security at Outpost24:
“This seems to be another example of how difficult it can be to properly secure your cloud environments and the importance of being transparent after security incidents occur. Based on the available information MGM seem to have handled everything adequately, although the breach happened last year affected customers were informed and responses by MGM were swift and adequate.
It also shows the wealth of information that large organizations possesses. Although the hospitality industry might not sound like a primary target for malicious hackers, this once again confirms that it is a potential goldmine for hackers. Simply due to the sheer number of hotel guests, the personal data that is processed and stored skyrockets in this business. Making it an interesting target for hackers and just one misconfiguration on a cloud system could expose parts of the data to the world.”
Sam Curry, chief security officer at Cybereason:
“The latest news from MGM shouldn’t come as a surprise: the hospitality industry has a target on its back given the treasure trove in its systems. Hackers derive enormous value for what’s called Beds-and-Heads, the logistical information that allows the inference of material information across the board. With upwards of 11 million customers impacted by this latest breach, we have yet another reminder that cybercriminals are persistent, and it is only a matter of time before determined nation-states or rogue hacking groups find a way into any network they choose. It’s tempting to look at the MGM as less significant than the Marriot breach, which affected 500 million customers, but smaller breaches are no less serious than larger for the victims.
The biggest concern in the MGM disclosure is that hackers stole deeper, more sensitive data on 1300 individuals, including information off driver’s licenses and military D cards. While it is too early to speculate, there is the possibility the theft that appears to have impacted 11 million customers is a diversion for a specific, strategic attack to access information on influencers in government, law enforcement, politics and the public and private sector. That’s not to say that the larger set isn’t suffering but rather that their suffering is a callous digital ‘collateral damage’ covering the more focused and motivated compromise like an assassin throwing a grenade into a crowd on a busy street to cover their true intention.
Cybereason’s recent investigation into a massive global espionage campaign against 10 telecommunications companies, dubbed ‘Operation SoftCell,’ highlights the desire that China and other nation-states have to track the whereabouts of influencers across the world without regard to losses of innocent, violated by-standers. The most troubling outcome is that none of the victims are aware they are being tracked. Going forward, expect more targeted, strategic attacks to become the norm and more digital collateral damage by callous, motivated aggressors.”
Justin Fox, director of DevOps engineering at NuData Security, a Mastercard company:
“The information on celebrities, tech CEOs, reporters, government officials, and employees represents a valuable treasure trove of information for cybercriminals who are selling it and for those that will be using it. All customer information is valuable to fraudsters. Name, physical, and email addresses, passwords, the content of emails – everything can be used to compile an identity, takeover accounts or open new credit lines.
This type of stolen data is why so many organisations – from the hospitality sector through to eCommerce companies, financial institutions and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioural analytics that identify customers by their online behavior thus mitigating post-breach damage as hackers are not able to impersonate individual behavior”
Jonathan Knudsen, senior security strategist at Synopsys:
“If we’ve learned anything from decades of data breaches, it’s that any organization can be a target. Information has always been valuable, but now that it is falling-off-a-log easy to duplicate and transmit vast volumes of information, protection for data needs to evolve.
Taking a proactive approach to security is the best way to reduce the risk of unpleasantness. A proactive approach means thinking about security at every phase of the design and implementation of systems. One valuable activity in the design phase is threat modeling, in which you examine the system design and imagine various ways an attacker could compromise it. Based on the results of that threat model, update the design with security controls that help mitigate the risk of attack.
Using threat modeling, for example, could reveal that a compromise of a database server would reveal all its contents. Armed with this knowledge, you might implement a defense-in-depth approach to protecting your data by implementing tighter access control and encrypting the database or (better yet) encrypting individual records. Any system can be compromised, but the goal is to make the cost of breaking in greater than the possible rewards.”
David Kennefick, product architect at Edgescan:
“As with any breach there will be a tendency to look for specific high-profile people whose information will be included in data dumps such as this. We have no information about how the breach happened, but it appears to be confirmed by MGM Resorts. The only concern I would have with this is it’s taken nearly a year for this to become public knowledge, I would hope that they have already contacted the impacted customer and allowed them keep an eye out for general fraud and potential phishing/spear phishing attacks.
Going forward, when booking a hotel room, we should set a standard of being able to do this while providing as little information as possible.”