MGM Resorts have a bit of an embarrassing data leak on their hands. ZDNet reports the casino operator were hacked, leaking the personal details of 10.6 million visitors.
The data of the leak was published to a hacking forum recently, and security firm Under the Breach first noticed and verified its contents. MGM Resorts have confirmed the data breach as well. Amongst the details are the personal and contact details for tourists, travelers, celebrities, tech CEOs, reporters, government officials and employees. Those details include the full names, home addresses, phone numbers, emails, and dates of birth of each contact.
When reached to comment on the matter, MGM Resorts confirmed they have notified affected customers, and have known about the hack for some time. “Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” they wrote.
“We are confident that no financial, payment card or password data was involved in this matter.”
While no financial data appears to have been leaked, hackers now have access to a treasure trove of data, and could attempt more direct attacks against high profile individuals. Twitter CEO Jack Dorsey, Justin Bieber, and some high-level government officials had their contact details in the leaked information.
In a way, this is all effectively old news. MGM insists that the leak had no customer details beyond 2017, and some customers have known about it since MGM notified them in August. But the company only notified customers based on local state laws requiring it, as the Las Vegas Review-Journal notes that many of the 52,000 notified were from South Dakota.
Even knowing about the hack is a very different thing than having it all suddenly show up on the web. Theoretically being told that your details being leaked is one thing, but hackers having information that could better allow them to send spearfishing emails, attempt swim swaps, or commit identity theft more generally is a much bigger threat.
That being said, as MGM Resorts only notified customers based on local state laws, that might not cover all of the victims of the hack. So any customers that stayed at an MGM before 2017 might want to be a little more vigilant than usual.