A major security breach has hit MGM Resorts hotels after the personal details of 10.6 million guests were posted on a hacking forum this week.
The stolen data belongs not only to regular tourists but also to celebrities, tech CEOs, and government officials — among them Twitter CEO Jack Dorsey and Canadian singer Justin Bieber.
The hack, which has been confirmed by MGM Resorts, was first reported by ZDNet following a tip-off from Under the Breach, a soon-to-launch data breach monitoring service.
Leaked files contain the personal details of 10,683,188 former hotel guests, including full names, home addresses, phone numbers, emails, and dates of birth. In an emailed statement to Digital Trends, a spokesperson for MGM Resorts said its team is “confident that no financial, payment card or password data was involved in this matter.”
The company said that it discovered the breach in the summer of 2019. While it has apparently made no public statement about the incident until now, it said that at the time, it contacted guests who may have been affected. It also hired two leading cybersecurity forensics firms to assist with an internal investigation into the incident.
ZDNet said that its own research suggests that none of the data corresponds with guests who made their first booking at an MGM Resorts hotel after 2017.
MGM Resorts isn’t the first hotel group to be targeted by hackers, with Mandarin Oriental and Trump Hotels among others to be hit in recent years. The biggest hotel-related breach, however, affected hundreds of millions of Marriott guests after cybercriminals stole their personal information over a period of several years before the hack was spotted in 2018.
Cybercriminals who succeed in stealing personal data may attempt to sell it via illicit hacking forums, with buyers hoping to use financial data for online shopping sprees or to withdraw money from bank accounts. MGM Resorts said customers’ payment data is safe, but the stolen information in this case could leave victims vulnerable to phishing attacks, SIM swap fraud, and other scams.
MGM Resorts told Digital Trends it takes its responsibility to protect guest data “very seriously,” adding that it has “strengthened and enhanced the security of our network to prevent this from happening again.”