With the cyberattack, an MGM spokesperson confirmed that the data that was shared online this week was due to unauthorized access to an MGM cloud server that the hotel discovered last summer. The timing is of a concern: the data was hacked into in 2019 and is only now being exposed close to a year later, by the hackers.
Personal information belonging to 10.6 million guests of MGM Resort were published on a hacking forum this week. Impacted individuals include celebrities, reporters, government officials and well-known CEOs. The leaked files contained, as ZDNet reports:
Full names,
Home addresses,
Phone numbers,
Emails,
Dates of birth.
This form of personally identifiable information is typically the most targeted form of data by malicious actors, and hotels are a prime target because they collect highly sensitive information from their guests.
To look more in-depth into the incident, Digital Journal caught up with Anurag Kahol, CTO at Bitglass.
Kahol begins by looking at the specific vulnerabilities around the travel sector: “Hotels and resorts manage personal data each day and store and process the information of millions of guests every year. Consequently, they must ensure that proper security controls are always in place.”
With the specific incident impacting on MGM, Kahol sates: “This security incident, impacting over 10 million MGM Resort customers, is particularly concerning as some of the compromised guest information, such as dates of birth, phone numbers, home addresses, and email addresses, belonged to government officials, celebrities, and well-known enterprise executives. All impacted guests are now vulnerable to sophisticated phishing scams as well as account hijacking across all of the various services that they use.”
However, resort managers can put in place measures designed to prevent this type of attack from occurring. Kahol recommends: “To prevent future incidents and protect customer data, hospitality organizations and other companies need to have full visibility and control over their customers’ data. This can be accomplished by leveraging multi-faceted solutions that enforce real-time access control, detect misconfigurations through cloud security posture management, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage.”
