Over 10 million people who have stayed at MGM Resorts hotels – including Twitter boss Jack Dorsey and pop idol Justin Bieber – have had their personal details posted online by hackers.

The security breach, publicised by ZDNet and security researcher Under the Breach, saw the records of 10,683,188 former guests – including names, postal addresses, phone numbers, dates of birth, and email addresses – made available in an online data dump.

According to breach notification service HaveIBeenPwned, over three million unique email addresses were included in the stash, opening opportunities for online fraudsters and other cybercriminals to exploit the information.

High profile names in the leaked database include Jack Dorsey and Justin Bieber, alongside journalists, company executives, FBI agents, and government officials.

As The New York Times reports, MGM Resorts said that some 1300 individuals had more sensitive information – such as driving licenses, passports, and military ID cards – exposed by the breach.

Fortunately, no password data or payment card information is included in the data leak, which an MGM spokesperson linked to the discovery in mid-2019 of unauthorised access to a cloud-based server. The data left improperly secured on the cloud server is believed to date back to 2017.

The company says that it notified potentially affected guests promptly as per state laws, and has worked with law enforcement and cybersecurity experts in the wake of the security breach.

However, many US states do not require hacked firms to inform customers that their data has been breached if the stolen data is already considered “public” – which includes so-called “phone book information” such as name, address, and telephone number.

Personally I would want to know if my telephone number has been the subject of a data breach, especially when linked to a particular company such as a hotel, as it could be exploited by a fraudster in an attempt to trick me into revealing further personal information.

If a malicious attacker learns your mobile phone number they might target you in a SIM swap attack (also sometimes called a Port Out scam), where your mobile phone provider is tricked by fraudsters into handing over control of your number.

Intriguingly, Twitter CEO Jack Dorsey was hit by just such a SIM Swap attack in September 2019, just a couple of months after MGM Resorts suffered its data breach. It’s not possible to make a definitive connection between the two incidents, but it sure is a coincidence.

An MGM spokesperson attempted to reassure guests that the hotel company has since improved its security:

“At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again.”

Famous hotels run by MGM Resorts include Las Vegas’s Bellagio, the MGM Grand, Mandalay Bay, New York New York, Luxor, and Excalibur, as well as properties in Atlantic City, Detroit, Japan, and China.

The sad reality is that “hotel hacking” has become a regular headline for some years with many well known chains impacted. Corporate victims have included Mandarin Oriental, Trump Hotels, Hilton, Rosen, Hard Rock, Omni and Marriott amongst many others…

It is essential, because of the sensitive information stored by hotel groups about their guests, that computer security is treated as a priority and proper best practices and layered defences are put in place to ensure that personal data is properly protected.


Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.