The information posted to a hacking forum did not include financial data. MGM Resorts said the intrusion into a server was detected last summer.
Cars drive into the MGM Grand Hotel and Casino in Las Vegas in January 2016.John Locher / AP fileFeb. 19, 2020, 10:26 PM CSTBy Ezra Kaplan and Phil Helsel
The information of more than 10 million people who stayed at MGM Resorts, including data appearing to belong to government officials, was posted on a hacking forum this week.
The posting of the hacked information was first reported Wednesday by the website ZDNet.
No financial data were included in the dataset, which has been reviewed by NBC News. But it includes full names, birthdates, addresses, email addresses and phone numbers. The information was posted to the hacking forum Monday.
Last summer, the company “discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts,” MGM Resorts said in a statement.
“We are confident that no financial, payment card or password data was involved in this matter. MGM Resorts promptly notified guests potentially impacted by this incident in accordance with applicable state laws,” a spokesperson for the company said.
MGM’s statement did not disclose which properties were affected, but the company has a strong presence on the Las Vegas Strip. Its properties there include the MGM Grand, the Bellagio, ARIA and Mandalay Bay. Some people on an online Las Vegas message board noted in August that they had been notified that their data may have been stolen in July.
MGM Resorts also said that when it discovered the issue, it retained two cybersecurity forensics firms to help with the internal investigation and to determine steps to remediate the issue.
Hacked information about Twitter CEO Jack Dorsey and pop star Justin Bieber appear to be included on the list.
Others on the list include members of the military and people with email addresses connected to the Department of Homeland Security, the Justice Department, the FBI and the Transportation Security Administration.
Some of the phone numbers in the dataset are disconnected. NBC News has reached out to more than a dozen people on the list and verified that the posted personal information was accurate. Some of those on the list are employees of NBCUniversal, the parent company of NBC News.
NBC News spoke to a man with a Secret Service email address who was surprised to learn that he had been hacked. He said MGM never notified him about to breach.
The data on the hacking forum also including information about Stephen Paddock, the man who opened fire from the 32nd floor of the Mandalay Bay Resort and into crowds at a music festival Oct. 1, 2017, killing 58 people in the deadliest mass shooting in modern U.S. history. Paddock, 64, fatally shot himself as police closed in.
Lou Rabon, founder and CEO of the security company Cyber Defense Group, said the breach is “another example of why companies need to be constantly vigilant with their cybersecurity program and practices.”
“MGM Resorts failed at protecting their customers’ data,” he said in an email, adding that the matter could reflect poorly on its reputation among the public.
MGM Resorts said that it takes protecting guest data very seriously and that it has “strengthened and enhanced the security of our network to prevent this from happening again.”
There have been several large-scale hacks of companies and institutions, including a 2017 breach at Equifax that exposed sensitive data of more than 146 million people. Among the information that was exposed were Social Security numbers. Equifax is one of the nation’s biggest credit reporting services.
Last week, the Justice Department said that four Chinese military hackers were charged in the Equifax breach and that they are accused of stealing the information of around 145 million Americans. The FBI concedes it is unlikely that they will face prosecution.
Equifax CEO Richard Smith resigned in 2017 ahead of congressional hearings over the scandal, and the company later agreed to pay up to $700 million to settle federal and state investigations — with $425 million set aside for affected customers.
In 2018, Marriott International said the private information of up to 500 million guests may have been accessed as part of a breach of its Starwood guest reservation database. The hotel chain said at the time that it discovered that there had been unauthorized access since 2014.
When Attorney General William Barr announced the charges against the four Chinese military hackers in the Equifax breach, he also confirmed that China was behind the Marriott hack, which was something that had been suspected by cybersecurity experts.
NBC News verified the authenticity of the data today, together with a security researcher from Under the Breach, a soon-to-be-launched data breach monitoring service.