MGM Resorts Hack Exposes Personal Data of 10 Million Hotel Guests

A server holding personal information about guests who previously stayed at MGM Resorts properties was hacked last summer, the company said.

Leaked data included names, home addresses, email addresses, and phone numbers. The leak does not appear to have resulted in the loss of guests' financial details. A spokesperson for the company declined to confirm the exact number of people believed to be impacted.

Technology website ZDNet, which first disclosed the hack on Wednesday, reported the trove of files had contained more than 10 million entries. ZDNet reported the stolen files had recently surfaced for sale on a hacking forum.

An MGM Resorts spokesperson told Newsweek the server "contained a limited amount of information for certain previous guests of MGM Resorts."

The firm downplayed the scale of the breach, noting the data was messy and had included a significant number of duplicate records. It claimed some of the information was an easily-accessible "phonebook." The MGM spokesperson told Newsweek all impacted guests had been informed per state laws, which do not always require notification for leaks of publicly-available phonebook-style data.

"We are confident that no financial, payment card or password data was involved in this matter," the official statement added. "MGM Resorts promptly notified guests potentially impacted by this incident in accordance with applicable state laws.

"Upon discovering the issue, the company retained two leading cybersecurity forensics firms to assist with its internal investigation, review and remediation of the issue.

"At MGM Resorts, we take our responsibility to protect guest data very seriously, and we have strengthened and enhanced the security of our network to prevent this from happening again."

The hotel company, which operates hotels including the Bellagio, Mandalay Bay, and MGM Grand in Las Vegas, declined to comment on the suggestion the leak had included information celebrities and government employees. NBC News, which reached out to more than a dozen people on the list to verify that the posted personal information was accurate, reported the data appeared legitimate if old.

It remains unclear which hotels were included in the leaked files. The company asserted that just because a celebrity name appeared in an email address doesn't mean it is that person.

The scope of the breach, if estimates are accurate, does not compare to the hacking of hotel chain Marriott, which confirmed in November 2018 that the information of approximately 500 million guests was compromised after one of its guest reservation databases was infiltrated.

In December 2018, Reuters first reported hackers suspected of being responsible for the incident appeared to have been tied to a "Chinese government intelligence gathering operation."

China-aligned hackers have long been linked to covert cyberattacks on U.S. government systems, including a major intrusion of the Office of Personnel Management back in 2014.

Bellagio
An aerial photo shows the Bellagio October 19, 2005 in Las Vegas, Nevada. Ethan Miller/Getty
MGM Resorts Hack Exposes Personal Data of 10 Million Hotel Guests | Tech & Science