MGM Resorts International is the latest travel brand to suffer a security attack involving customer details, in an incident that took place last summer.
Details of the incident were uncovered last week by ZDNet, which says the personal details of more than 10 million customers were shared on a hacking forum.
The publication says it received confirmation via email from MGM Resorts, which said it contacted all guests at the time and shared that the breach took place last summer through “unauthorized access to a cloud server.”
The hospitality company, which counts the Bellagio, Mandalay Bay and the Mirage among its resorts, added that it is “confident that no financial, payment card or password data was involved in this matter."
Security experts have weighed in, in the wake of details of the breach coming to light.
Patrick Martin, senior threat intelligence analyst at Skurio, a dark web monitoring specialist, says this kind of incident can be avoided by regularly checking who has access to cloud-based servers:
“For a bad actor to access or exfiltrate data they need credentials or to take advantage of an ‘open door’ which has been left unlocked.”
He adds that companies should also monitor for leaks of the data.
“This incident also highlights the importance of speed when mitigating digital risk; watermarking data with unique synthetic identities can enable organizations to detect these threats immediately and be the first to find out if their data is available online, before someone else does. Setting up email listeners for these watermark identities can detect a breach before the data is shared online, if the hacker is testing for valid addresses.”
Meanwhile, Thorsten Geissel, director of sales engineering at cyber security specialist Tufin, advises that the same security levels for data on premise need to be in place for what is stored in the cloud.
“It’s a near-universal challenge for enterprises: the move to hybrid environments and more complex, fragmented networks makes it even harder to keep control. Without consistent policies you can pretty soon have a tangle of security gaps and compliance violations."
PhocusWire contacted MGM Resorts for a statement but a response was not forthcoming in time for publication.
In November 2018, Marriott International disclosed a data breach, which affected a Starwood-run reservation system and dated back four years to before the merger of the two companies.