UPDATED 22:01 EDT / JULY 14 2020

SECURITY

142M alleged MGM customer records found for sale on the dark web

A data breach involving the theft of customer records from MGM Resorts International last year may have been much larger than initially thought, with some 142 million allegedly hacked MGM customer records found for sale on the shady part of the internet known as the dark web.

The data breach was discovered in February when some 10.6 million MGM customer records were found online. MGM confirmed the news, saying at the time that the hack took place in summer 2019 and that it involved “unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts.”

The initial data found in February included full names, addresses, phone numbers, dates of birth, email addresses and in some cases passport and drivers license numbers. Some of the records included government officials, chief executive officers and others, notable among them Twitter Inc. Chief Executive Jack Dorsey and singer Justin Bieber.

According to ZDNet, a hacker known as NightLion listed more than 142 million MGM hotel guest records for sale at a price of $2,900 on a dark web site over the weekend. NightLion is the same hacker who alleges to have stolen some 8,200 databases containing the information of billions of users in breach databases from DataViper late last week and is claiming that he obtained the MGM database from DataViper.

In the case of DataViper, company owner Vinny Troia claimed that the hacker gained access only to a test instance and that the databases being offered were the hacker’s own and not stolen information. In this case, Troia told ZDNet, his company has never owned a copy of the MGM database and the hacker is trying to ruin his reputation.

The claims from Troia combined with MGM never providing the exact number of records stolen in the hack make it difficult to ascertain whether the 142 million alleged records offered for sale are legitimate.

“MGM’s breach, if accurate, is huge, calling once again for better data security practices for data in cloud systems from where the data appears to have been stolen,” Mark Bower, senior vice president, at data security services company comforte AG, told SiliconANGLE. “The new breach of 142 million records, despite being limited to names and addresses, can still be considered personal data with substantial financial ramifications under the mix of jurisdictions. This will likely trigger even deeper increased scrutiny and concern from a variety of regulators over privacy handling practices and specifically data security.”

Casey Kraus, president of serverless security firm Senserva, noted that even if no financial information is contained in the data breach, it still exposes millions of people worldwide to possible risk as well as organizations that they work for.

“The information contained could be used to try to gain entry into corporate networks where further damage can be done outside of just the individual,” Kraus said. “Without being able to identify how the breach occurred and help others better secure their environments, similar incidents are bound to be repeated.”

Paul Bischoff, privacy advocate at tech research company Comparitech Ltd., warned that “MGM Hotel guests should be on the lookout for targeted scams and phishing messages from fraudsters.

“These attacks might come via phone or email and might include information such as your name and address in order to make them more personalized and convincing,” Bischoff said. “Never click on links in unsolicited emails, check the spelling of the sender’s email domain and be sure to verify the sender before responding using contact information found through a Google search.”

Photo: Zereshk/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU