Hackers leaked the personal information of over 10 million MGM hotel guests this week on an online hacking forum.
The data was obtained last summer after hackers accessed MGM servers.
Victims of the data dump include government officials, CEO’s, celebrities among others. Also, the leaked information included personal information like full names, phone numbers, dates of birth and emails.
The majority of stolen data is considered “phonebook information”, information available to the public even before the breach. Additionally, The information that was obtained by hackers could be used conduct other types of cyber-attacks.
‘Phonebook Information’ is NOT useless
A hacker can turn this trove of seemingly useless information into a valuable asset through spear-phishing. The more detailed the information available the easier it is to compose an email designed to trick someone.
Spear phishing attacks only work if they’re detailed enough to fool the victim into clicking on a link or the attachment. Hackers could use the phonebook data to craft a scam involving the IRS or a digital subscription.
Moreover, the hacker who dumped the information is still unknown but experts believe they’re associated with the group GnosticPlayers. GnosticPlayers is a hacking group that dumped over a billion user records all through 2019.
Gnosticplayers gained fame after publishing data from several hacked companies, like Canva and Zygna, among others. The group was comprised of two individuals, Nclay and DDB. Nclay would hack and DDB would sell.
Furthermore, once groups like Gnostic players gets the sought after data, they sell it in a darkweb marketplace like Joker’s Stash or Dream Market. At that point, other people can freely buy that information for their own purposes.
Although the hack in MGM is quite large, it isn’t the first hotel chain to get hacked. In November 2018, 500 million people had their personal information stole in a hack that lasted four years.
Marriot’s a good example of how breaches aren’t easy to spot. Sometimes, breaches can happen without any sign that anything is wrong.
Luckily the breach in MGM wasn’t as severe but it could have been. MGM Resorts is publicly traded and has 80,000 employees spread throughout 29 hotel and casinos.
MGM said in a statement to ZDNet that it was “confident” no financial information was taken.
Although the majority of the leaked data was phone-book information, some guests had more sensitive data exposed online.
1,300 guests were informed that information like passport numbers were gained from the breach.
However, most US states don’t require companies to inform their customers if public data has been exposed through a hack.