MGM Guest Data Released Online

NATIONAL REPORT—Personal details for more than 10.6 million MGM Resorts guests were posted online this week, according to a report from ZDNet.

Included in the leaked files are personal and contact details for celebrities and other notable guests. MGM confirmed to ZDNet that the data breach occurred in the summer of 2019, and that all those affected had been notified once the company learned of the breach. “Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” MGM told ZDNet. “We are confident that no financial, payment card or password data was involved in this matter.”

Hotel Business reached out to MGM for a statement and is awaiting a response.

Security Experts React

“This is significant—over 10 million persons’ information disclosed,” said Douglas Williams, president/CEO of Williams Data Management. “While security protocols are in place, this is another example that any company and any server can be compromised. The multiple people affected need to take action to investigate their own accounts elsewhere, to ensure no loss of data or other suspicious activity.”

Steve Tcherchian, chief information security officer at XYPRO, a cybersecurity analytics company, said that it is important for companies to do everything they can to protect data. “Leveraging the cloud doesn’t absolve a company from properly protecting data they have access to,” he said. “It’s imperative for companies to think about how to bolster their security on the cloud. Businesses need to prioritize cloud security. It is the responsibility of every business to follow best practices in terms of security configurations, credential storage, permissions, vulnerability management, monitoring and more.”

The same accessibility that many organizations enjoy about the cloud can facilitate crimes of opportunity. “Not following through on this strategy and not having the right skills in place leaves your cloud platform just as insecure as not securing an on premise environment, as many brands such as MGM have discovered,” he said. “Storing your data on the cloud does not absolve you or shift your data security responsibilities to someone else. If you own data, your business is the one responsible to protect it, regardless of where it physically resides. The same strategy, controls and monitoring used to secure your on-premise assets needs to be used to secure your cloud infrastructure—but adapted for the cloud.”

Tal Zamir, founder/CTO of cybersecurity software firm Hysolate said this is another example of attackers having the upper hand. “Defenders have to protect a huge attack surface with multiple points of failure,” he said. “The biggest gap relates to users and their devices. With over 5.7 million source code files and 50-plus million lines of code (estimate), it’s almost impossible to successfully defend the operating system (OS) running on a user’s device. For this very reason, Microsoft is now recommending that users leverage an isolated and dedicated OS to conduct sensitive or privileged tasks, and another isolated OS to conduct their daily corporate/personal tasks. There are two ways to accomplish this—physical air gaps via two physically separated devices, or, virtual air gaps which leverage virtualization to isolate two or more operating systems on one physical device.”