Dive Brief:
- Personal data belonging to nearly 11 million guests of MGM Resorts International was published on a hacking forum, first reported by ZDNet.
- The hospitality company became aware of the data breach last summer, according to an MGM Resorts spokesperson, in an email to CIO Dive. The company says it is "confident" no financial information was involved in the incident.
- The exposed personal data contained guest names, phone numbers, emails and home addresses, according to ZDNet. The guest list reportedly included celebrities, reporters, technology executives and government officials.
Dive Insight:
MGM has enlisted the support of two cybersecurity forensics firms for its investigation and has "enhanced" its security network following the discovery. While details are unknown regarding how long remediation took, the CCPA allows companies a 30-day grace period for "curing violations."
The CCPA protects all data traceable to households or devices. However, privacy experts still argue whether email is considered PII. Anyone can create a falsified email address, presenting themselves as another individual. The attribution, and therefore ability to verify the users true identity, is a moot point, Chris Hallenbeck, CISO for the Americas at Tanium, told CIO Dive last month.
MGM has yet to offer specifics of how the intruders gained access to its guest data.
Posts in hacking forums allegedly by NSFW, were found bydarknet threat specialists KELA, according to an emailed statement to CIO Dive from Irina Nesterovsky, head of research at KELA. The firm found the posts, dating back to July 2019 using its proprietary data. According to KELA, NSFW is a "close associate of the Gnosticplayers."
Gnosticplayers was behind data dumps of MyHeritage, Under Armour, ShareThis, 500px, GfyCat last year, ZDNet reported.
Definitions and applications between GDPR and CCPA vary but both call for a timely disclosure of breaches. "MGM Resorts promptly notified guests potentially impacted by this incident in accordance with applicable state laws," the spokesperson said.
Through the CCPA, the California Attorney General can impose fines up to $2,500 per violation in a negligent case of data mismanagement.
In 2018, Marriott International disclosed a data breach — inherited from a 2016 acquisition — that also exposed an elite class of guest. The hotel was ultimately handed a $124 million fine under the General Data Protection Regulation — setting the stage for penalties outside the tech industry.
Marriott's privacy concerns were amplified by the private details the hotel logged of its guests. Travel preferences, patterns and habits are all documented. Malicious actors could use the information to compile fraudulent profiles of the elite class of guests. They could also use the data to personalize secondary attacks, such as phishing schemes.
Unlike Marriott's breach, which was disclosed prior to the enactment of the California Consumer Privacy Act, MGM's breach will likely answer to the state's law.