MGM Hotel Chain Underreported Scale of the Recent Data Leak

In February 2020, ZDNet announced that personal data of 10.6 million guests of MGM Resorts hotels were in the public domain. However, as it turned out now, the MGM network underreported the scale of this leak by more than 10 times.

The leak included not only information about ordinary tourists and travelers, but also about personal and contact details of celebrities, CEOs of large companies, journalists, government officials and number of employees of one of the largest technology companies in the world.

“Leak included personal data such as full names, home addresses, phone numbers, email addresses and dates of birth”, – reported in ZDNet.

As it turned out now, in fact, the problem was much more serious: as a result of the attack in 2019, the data of 142 million people fell into the hands of third parties.

I also remind you that recently UniCredit Bank reports data leak of 3 million customers.

The real extent of what happened became known due to the fact that the hacker under the pseudonym NightLion put up for sale (on the Empire trading platform on the darknet) information on 142,479,937 guests of MGM hotels. The dump was assessed at $2,900.

The hacker claims that this information was obtained by hacking the DataViper service for monitoring and arresting leaks, owned by the information security company Night Lion Security.

Vinny Troia, founder of NightLion Security and DataViper, says his company never owned a full copy of the MGM database.

“A hacker is selling his own databases, not some information stolen from DataViper, and is trying to spoil the reputation of an expert company,” – said Vinny Troia.

However, MGM Reports issued a statement stating that the company was aware of the real extent of the attack.

“MGM Resorts was aware of the magnitude of the incident last summer, which was disclosed to the public,” — says the statement.

The company claims that they have already investigated this situation, notified affected users, and the vast majority of “leaked” data is only contact information (such as names, mailing addresses and email addresses).

However, the ZDNet magazine, citing KELA specialists, notes that even 142 million victims are probably not the limit.

The fact is that, according to researchers, the information stolen from MGM has been circulating in quite narrow hacker circles since at least July 2019. And an advertisement at a Russian-speaking hacker forum said that more than attackers possess information about 200 million hotel. It seems that the scale of the scandal will be no less than during the leak of 419 million contacts of Facebook users.