This information also includes details of Justin Bieber and Twitter’s Jack Dorsey.
In 2017 or even before, the personal data of guests that stayed at MGM hotel was leaked and now it is, reportedly, posted for sale on the ideal marketplace for selling stolen data, the Dark Web.
Approximately over 10.7 million (10,683,188 to be precise) records are up for sale and this largely seems to be a repackaged bundle, revealed the head of research at KELA cyber-intelligence firm, Irina Nesterovsky.
The data was discovered by an Israeli security researcher using the name Under the Breach. The researcher claims to have access to a number of threat actors who provide him “pre-breach information” relating to most of the publicly traded firms.
The first posting on the Dark Web was published on 10 July, 2019, and originally it was posted by NSFW, a close associate of the Canva, Zynga, MyHeritage, ShareThis, and GfyCat data breaches fame Gnosticplayers cybercriminal, along with his partners, said Nesterovsky.
She further added that the recently published data has been circulating on various other platforms from the past six months. The data includes names, dates of birth, email IDs, addresses and phone numbers of the former MGM guests, and it doesn’t include passwords.
See: Hackers steal sensitive data from Japanese search engine for sex hotels
When contacted, the people affected by the data breach, some of the numbers turned out to be authentic and active as the same person answered, while some were disconnected. The company stated that despite that the data isn’t as recent as we have observed in a majority of data recently put up for sale at the Dark Web, however, in the stolen data trading world anything is acceptable.
As per Nesterovsky, the affected customers of MGM might be vulnerable to fraud attempts now as the information is now selling on so many different platforms.
On the other hand, Under the Breach claims that he has identified names of some famous personalities in the hacked database, which include the likes of Justin Bieber, Jack Dorsey, and DHS officials.
MGM spokesperson has confirmed the data loss and stated that it is quite old and payment information wasn’t compromised in the security breach. The hotel authorities claim that they did notify their customers in 2019. This was confirmed by ZDNet as it came across posts on Vegas Message Board dating back to August 2019 where people posted about being alerted about the data breach in July.
Here is a screenshot of the MGM’s listen on dark web marketplace:
According to Emily Wilson, VP of Research at digital risk protection provider Terbium Labs,
“The hospitality industry sits on a hotbed of valuable data that meets at a critical intersection of personal details, financial information, and physical safety – travel data, companions, and patterns of behavior. While those are dangerous enough if exposed for any individual, it becomes particularly concerning when high profile figures – politicians, entertainers, executives, or government and law enforcement officials – come into play.”
See: Hackers selling data of 130 million Chinese hotel clients on Dark Web for 8 BTC
“Having well-known individuals in the data set not only increases the risk for those high profile figures, but also increases the risk for everyone else in the data set. Knowing that an executive or entertainer is in the mix encourages fraudsters to flock toward it and try to exploit it, and everyday consumers face the fallout from that attention,” said Emily.
“These sorts of breaches fuel cybercrime and digital risk that organizations face every day. This exposed data is valuable inventory for criminals, who know they need to act quickly while the data is still fresh. It’s the perfect example of third-party exposure – the individuals, their banks, their employers, any organization they’re affiliated with or interact with, all face immediately increased risk as a result of this breach,” added Emily.
“Emily further states that these breaches also increase the pool of data available to powerful state actor groups that amass and consolidate whatever information they can. Organizations will feel the impact of everyday criminals having access to the data in the short term, and face a harrowing landscape of consequences from well-resourced groups in the long term.”
See: Dark Web hacker selling 126M accounts stolen from new data breaches
She warned that “these breaches also increase the pool of data available to powerful state actor groups that amass and consolidate whatever information they can. Organizations will feel the impact of everyday criminals having access to the data in the short term, and face a harrowing landscape of consequences from well-resourced groups in the long term.”