The data breach at MGM Resorts that we also wrote about earlier this year may have been far larger than previously thought. In February, when the incident was disclosed, the estimated number of guests impacted by the breach was 10.6 million; however, now it seems that as many as 142 million hotel guests were affected by the incident that goes back to July 2019.
This is after ZDNet reported that a hacker had posted an ad on a dark web criminal marketplace offering the personal data of more than 142 million former MGM Resorts guests for some US$2,900 worth of cryptocurrency.
A spokesperson for the hotel giant confirmed that the company knew about the size of the data breach. "MGM Resorts was aware of the scope of this previously reported incident from last summer and has already addressed the situation," said the spokesperson, before adding that the majority of the leaked data consisted of mostly contact information, such as names, postal and email addresses.
RELATED READING: Cybercrime black markets: Dark web services and their prices
The previous data dump contained a range of Personally Identifiable Information (PII), including full names, home addresses, phone numbers, emails, and birth dates. However, it did not appear to contain financial information or booking details, nor did it include any IDs or Social Security numbers. ZDNet was able to verify as much by reviewing the records from February, as well as a new batch of 20 million records that were released by the cybercriminals on Sunday. It also contacted past guests to confirm the veracity of the information.
It is worth noting that the leaked information could be enough for launching spearphishing campaigns or SIM swapping attacks. The victim list even includes a long list of potential high-profile targets, such as CEOs of tech companies, government officials, and celebrities.
In recent years, several other hotel operators – including InterContinental Hotels and the Trump Hotel Collection – have also fallen victim to similar incidents. Marriott Starwood suffered a data breach that affected a whopping 500 million guests.