Personal Details Of 10.6M MGM Hotel Guests Posted On A Hacking Forum – Cybersecurity Experts React

Cybersecurity experts commented tonight on breaking news that the personal details of more than 10.6 million users who stayed at MGM Resorts hotels have been published on a hacking forum this week. Besides details for regular tourists and travelers, included in the leaked files are also personal and contact details for celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies.


EXPERTS COMMENTS
Tal Zamir, Founder and CTO,  Hysolate
February 21, 2020
The biggest gap relates to users and their devices.
This is yet another example of attackers having the upper hand. Defenders have to protect a huge attack surface with multiple points of failure. The biggest gap relates to users and their devices. With over 5.7 million source code files and 50+ million lines of code (estimate), it’s almost impossible to successfully defend the operating system (OS) running on a user’s device. For this very rea ....
[Read More >>]
Thorsten Geissel, Director Sales Engineering ,  Tufin
February 24, 2020
Without consistent policies you can pretty soon have a tangle of security gaps and compliance violations.
This breach is significant and the dumping of a treasure trove of customer details once again underlines the importance of having the same security levels for data that’s on premise, as for data stored in the cloud, to reduce the risks associated with hacks such as this. It’s a near-universal challenge for enterprises: the move to hybrid environments and more complex, fragmented networks makes ....
[Read More >>]
John M. Perry , CEO,  Bluefin
February 24, 2020
The issue with MGM and similar breaches is that businesses are not adequately securing consumer data.
Last summer, MGM discovered unauthorized access to a cloud server that contained guest information. The issue with MGM and similar breaches is that businesses are not adequately securing consumer data – whether in the cloud, in their network or at the point of intake – leaving personal information in the 'clear' and just waiting to be stolen. Companies need to devalue this data with security t ....
[Read More >>]
Robert Prigge, CEO,  Jumio
February 24, 2020
There is much “talk” about Zero Trust strategy.
Unfortunately, users’ data being exposed and made available to a wide range of bad actors is so commonplace in today’s connected world. Organisations who hold any personal data of their customers must really improve their protection of such data. There are technologies available today which can be used in a multifaceted security strategy. There is much “talk” about Zero Trust strategy. ....
[Read More >>]
Peter Draper, Technical Director, EMEA,  Gurucul
February 21, 2020
There is much “talk” about Zero Trust strategy.
Unfortunately, users’ data being exposed and made available to a wide range of bad actors is so commonplace in today’s connected world. Organisations who hold any personal data of their customers must really improve their protection of such data. There are technologies available today which can be used in a multifaceted security strategy. There is much “talk” about Zero Trust strategy. ....
[Read More >>]
Ed Macnair, CEO ,  Censornet
February 21, 2020
The most likely form of attack we will see is impersonation attacks.
Cloud servers have been a consistent feature in many of the biggest data breach stories we have seen recently. In this case, it appears that criminals gained unauthorised access, which allowed them to extract data such as names, addresses, and passport details. It's a stark reminder of the risk that comes with cloud transformation - in the past this data would have been held on the hotel's own ser ....
[Read More >>]
Patrick Martin, Senior Threat Intelligence Analyst,  Skurio
February 21, 2020
Setting up email listeners for these watermark identities can detect a breach before the data is shared online.
Cloud-based servers should be regularly checked for who has read and write permissions and be modified accordingly, as appropriate. For a bad actor to access or exfiltrate data they need credentials or to take advantage of an ‘open door’ which has been left unlocked. BinaryEdge, Shodan and many other tools make it easy to find these open containers. This sort of activity can be thwarted just b ....
[Read More >>]
Becky Nicholson, Data Privacy Consultant,  Bridewell Consulting
February 21, 2020
Such employee awareness training can also be measured by regular phishing or red team assessments.
We are in danger of becoming numb to data breaches, due to the frequency and scale they are being reported. All organizations must take steps to protect their systems and ultimately customer data. This means taking basic steps such as putting in place regular security assessments, a strong patching and password policy, and enforcement of multi-factor authentication on every public-facing system. T ....
[Read More >>]
Robert Ramsden Board, VP EMEA ,  Securonix
February 21, 2020
Affected individuals should be hyper aware of any suspicious communications and be vigilant.
Given the sensitive nature of the information exposed in this leak, and the fact that this database has been discovered on a criminal hacking site, the security and privacy consequences for those whose data had been exposed could be huge. Individuals affected will incur a heightened risk of experiencing threats such as identity theft and phishing scams. Affected individuals should be hyper aware o ....
[Read More >>]
Sam Curry, Chief Security Officer,  Cybereason
February 21, 2020
With upwards of 11 million customers impacted by this latest breach.
The latest news from MGM shouldn’t come as a surprise: the hospitality industry has a target on its back given the treasure trove in its systems. Hackers derive enormous value for what’s called Beds-and-Heads, the logistical information that allows the inference of material information across the board. With upwards of 11 million customers impacted by this latest breach, we have yet another re ....
[Read More >>]
Jonathan Knudsen, Senior Security Strategist ,  Synopsys
February 21, 2020
A proactive approach means thinking about security at every phase of the design and implementation of systems.
If we’ve learned anything from decades of data breaches, it’s that any organisation can be a target. Information has always been valuable, but now that it is falling-off-a-log easy to duplicate and transmit vast volumes of information, protection for data needs to evolve. Taking a proactive approach to security is the best way to reduce the risk of unpleasantness. A proactive approach means ....
[Read More >>]
Matt Walmsley, EMEA Director,  Vectra
February 21, 2020
As organizations increasingly use the cloud to underpin digital transformation.
MGM has acknowledged a cloud “server exposure”. This could have easily been caused by poor cloud configuration and security hygiene, or from offensive attacker behaviors. As practitioners, we need to stop treating cloud separately from a security perspective. As organizations increasingly use the cloud to underpin digital transformation, it is critical that security operations teams have th ....
[Read More >>]
Niels Schweisshelm, Technical Program Manager,  HackerOne
February 21, 2020
When customers are made aware that their details may have been exposed.
When customers are made aware that their details may have been exposed, they must also take responsibility to update passwords that they might be using on multiple sites and stay vigilant for potential scams. While the cloud has many benefits, when moving to the cloud, it’s important that developers have a clear change management process in place when pushing data to a live environment as the m ....
[Read More >>]
Jake Moore, Cybersecurity Specialist,  ESET
February 21, 2020
Attackers can then change two-factor authentication (2FA) codes and get into online accounts bypassing passwords.
This sort of data is a honey pot for cyber criminals. When personal information such as this is leaked it becomes very sought-after, especially when it includes contact details for a number of high profile users such as celebrities. All the users on this list should now be concerned about the increased risk of further attacks such as targeted phishing emails, or worse still, falling victim to SIM ....
[Read More >>]
Adam Laub, CMO,  STEALTHbits Technologies
February 20, 2020
This is a great example of how these breaches and their fallout can continue to haunt businesses for quite some time.
This is a great example of how these breaches and their fallout can continue to haunt businesses for quite some time. It’s likely MGM thought this incident was far in the rear view, but the value of their particular dataset continues to have appeal, despite its age and the potential staleness in certain spots. Something every organization can do to mitigate the risk of unauthorized access to ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article