MGM Resorts Hit in 2019 Data Breach, Hackers Shared Info of 10.6 Million Guests on Dark Web

Posted on: February 19, 2020, 05:34h. 

Last updated on: February 20, 2020, 10:05h.

Todd Shriber @etfgodfather Read More
Expertise: Financial, Gaming Business, Mergers and Acquisitions.

MGM Resorts International (MGM) was the target of a large-scale technology infiltration last year, one that resulted in the personal data of more than 10.6 million guests being shared on the dark web.

Bellagio operator MGM was the target of a hack in which 10.6 million records were stolen. (Image: Axios)

ZDNet broke the story earlier today, reporting that it had “verified the authenticity of the data” and that the gaming company confirmed that a contravention of guests’ private information occurred last year.

MGM, the largest operator on the Las Vegas Strip, told the outlet it notified the former guests about the incident. To be precise, hackers obtained data for 10,683,188 past MGM patrons, including celebrities, government officials, and journalists.

Data obtained by the cyber thieves include full names, home addresses, phone numbers, emails, and dates of birth. But MGM told ZDnet it’s confident payment card data and passwords weren’t found in the attack.

Among the rumored well-known victims in the breach of MGM guest data are pop star Justin Bieber and Jack Dorsey, the CEO of Square and Twitter.

Casino.org reached out to MGM for comment, but did not hear back prior to publication of this article.

Not The First Time

Casinos, both land-based and online, have become prime targets for cyber criminals. In 2015, the US government accused Iran of authorizing a hack against Las Vegas Sands (LVS) after Chairman and CEO Sheldon Adelson – an ardent supporter of Israel – made harsh comments against the Islamic Republic’s nuclear ambitions.

Last year, the US Department of Justice (DOJ) shut down a vast hacking operation run out of Eastern Europe. That operation tried to steal $100 million from a variety of American businesses, including an unidentified casino in Gulfport, Mississippi, using a computer virus known as GozNym.

More recently, Golden Entertainment said that it discovered instances of unauthorized access to employees’ email accounts running from May 30, 2019 through Oct. 6, 2019. Golden operates the Strat on the Strip, as well as nine other gaming properties in Nevada and Maryland.

The architects of that breach reportedly obtained sensitive information, such as drivers licenses, payment cards and Social Security numbers. Golden previously notified guests, staff, and vendors about the situation.

Small by Comparison

At a time when customers – regardless of industry – are taking seriously guarding of their data, an information violation is never a good look for companies. But if there’s a silver lining for MGM, it’s that 10.6 million records is a relatively small-scale attack.

Focusing on the travel and leisure industry, the MGM hack is paltry compared to the 383 million records cyber thieves swiped from Marriott’s Starwood hotels. That infiltration was announced in 2018 and reportedly started in 2014.

The MGM breach is also a fraction of the size of the 147 million cyber criminals pilfered in the 2017 penetration of credit scoring firm Equifax.

In the 2010s, the largest data breach occurred in 2013, impacting each of Yahoo’s three billion users. That incident came to light in 2016, when the company said at least 500 million accounts were targeted. But a subsequent announcement put the figure north of one billion and it rose from there.