The personal information of more than 10.6 million guests who stayed at MGM hotels was hacked in 2019.
The data was posted to a hacking forum this week, as reported by ZDNet before MGM then confirmed the attack to the BBC.
The stolen information included names, addresses and passport numbers of former guests.
A spokesperson for MGM Resorts said: “Last summer, we discovered unauthorised access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter.”
Commenting on the news of the attack, Ed Macnair, CEO of Censornet was concerned that the stolen information would now be used in a fresh wave of attacks.
“Cloud servers have been a consistent feature in many of the biggest data breach stories we have seen recently. In this case, it appears that criminals gained unauthorised access, which allowed them to extract data such as names, addresses and passport details. It’s a stark reminder of the risk that comes with cloud transformation – in the past this data would have been held on the hotel’s own servers. In many ways, moving to the cloud has eroded the traditional perimeters that protected data, so companies need to make sure they have new security practices for the cloud.
“Now this data has been stolen and published on a hacking forum, criminals will be looking at how they use it to launch a new spate of attacks. It isn’t financial information, so they can’t cash it in right away, but the personal data of high profile individuals has its own value. The most likely form of attack we will see is impersonation attacks. Executives and CEOs who have had their data stolen should be asking if their organisation’s security is capable of defending against impersonation attacks and must alert their companies to be on the lookout for any communications that may be using their personal details to impersonate them.”
The spotlight has once again been shone on large organisations and their cybersecurity capabilities.