Over 10 million people who have stayed at MGM Resorts hotels – including Twitter boss Jack Dorsey and pop idol Justin Bieber – have had their personal details posted online by hackers.

The security breach, publicised by ZDNet and security researcher Under the Breach, saw the records of 10,683,188 former guests – including names, postal addresses, phone numbers, dates of birth, and email addresses – made available in an online data dump.

DevOps Connect:DevSecOps @ RSAC 2022

According to breach notification service HaveIBeenPwned, over three million unique email addresses were included in the stash, opening opportunities for online fraudsters and other cybercriminals to exploit the information.

High profile names in the leaked database include Jack Dorsey and Justin Bieber, alongside journalists, company executives, FBI agents, and government officials.

As The New York Times reports, MGM Resorts said that some 1300 individuals had more sensitive information – such as driving licenses, passports, and military ID cards – exposed by the breach.

Fortunately, no password data or payment card information is included in the data leak, which an MGM spokesperson linked to the discovery in mid-2019 of unauthorised access to a cloud-based server. The data left improperly secured on the cloud server is believed to date back to 2017.

The company says that it notified potentially affected guests promptly as per state laws, and has worked with law enforcement and cybersecurity experts in the wake of the security breach.

However, many US states do not require hacked firms to inform customers that their data has been breached if the stolen data is already considered “public” – which includes so-called “phone book information” such as name, address, and telephone number.

Personally I would want to know if my telephone number has been the subject of a data breach, especially when linked to a particular (Read more...)