Following Massive Hack, MGM Sued By Customer
Following a security breach last summer, the personal information of 10.6 million guests of the MGM hotel was leaked on a forum used by online hackers. The leak included the full names, emails, home addresses, and phone numbers of millions of MGM customers — regular people, as well as reporters, tourists, FBI officials, and even celebrities. Just a few days after this announcement, one patron of the MGM resorts has filed a lawsuit against the company.
The MGM Breach: What Happened?
Last week, the tech website ZDNet released that the personal information of millions of MGM guests had been leaked on an online forum used by hackers.
According to research conducted by ZDNet, the sensitive personal information of 10,683,188 former guests of the internationally renowned MGM Resorts hotels had been compromised.
Among those affected by the leak are tourists, government officials, resort employees, FBI officials, and celebrities, including Justin Bieber and the CEO of Twitter, Jack Dorsey.
Via email, a representative for MGM Resorts confirmed the leak had indeed occurred.
Moreover, MGM had in fact contacted guests implicated in the massive leak and reassured them at the time that there was “no evidence” that their information had been misused.
This is why the leak via an online hacking forum as reported in ZDNet is newsworthy: a direct contradiction to MGM’s assertion that their clients are protected from exactly this kind of leak, putting them at great risk of fraud.
Following the confirmation, a team from MGM Resorts told ZDNet that the breach occurred last summer, and included information of customers who had stayed in the hotel between 2017 and last summer.
Still, following the report from ZDNet and now other international publications including The Guardian, MGM has not confirmed the exact number of affected individuals, citing the high frequency of duplicates in the online leak. As such, it is possible — at least, according to them — that the number is indeed lower than what is currently being reported.
“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter.”– Unnamed spokesperson, MGM Resorts International
Following Reports, A Lawsuit
After coverage of the MGM leak, local publication the Las Vegas Review-Journal reported that customer John Smallman filed a lawsuit with the U.S. District Court in Nevada.
Embedded in the lawsuit is what Smallman believes is a failure on the part of MGM Resorts International to adequately protect the security of sensitive information of its patrons.
The Las Vegas Review-Journal reports that Smallman feels he — as well as the 10,683,187 other individuals implicated in the MGM Resorts security breach — will now have to undergo additional measures to protect themselves from fraud.
As of now, the lawsuit comes down to a difference between what Smallman believes was compromised and what MGM reports as having been leaked.
According to MGM, the information leaked via the hack was what they’re calling “phone book” data — easily found and searched information, like full names.
Conversely, Smallman alleges that much more sensitive information has been leaked, including drivers’ license numbers, passport numbers, dates of birth, phone numbers, and emails and military identification numbers.
This is backed up by a report from the Las Vegas Review-Journal, which informs that at least 1,300 of the affected guests who were notified last September had information like their driver’s license or passport numbers leaked in last summer’s hack.
Smallman also takes issue with the timing of MGM’s response to the affected customers. According to his filed lawsuit, Smallman alleges that the breach happened in July, but spokespeople from the internationally-renowned casino and resort did not notify their guests until September — two months later.
Embedded in the lawsuit is a concern from Smallman that MGM Resort International does not currently have up-to-date cybersecurity measuresto protect the sensitive information of their clientele.
In the lawsuit, Smallman — backed by the Florida-based litigation firm Morgan & Morgan Complex Litigation group — alleges that the MGM Resorts International failed to notify its patrons that it does not have adequate computer systems and — by extension — cybersecurity measures, and that it failed to detect a breach of said systems.
Who Was Notified?
In addition to the lag-time between the leak and the disclosure of the leak to affected patrons (the aforementioned two months, between July and September), it seems MGM notified some 52,000 affected guests of the breach.
The notifications were informed by the various state laws which mandate the disclosure of such information. This is why so many of the notified guests happened to be from South Dakota, a state which mandates the notification of hacks.
Cybersecurity Threats: MGM Isn’t Alone
MGM isn’t the only hotel to face a security breach in recent years. The Mariott, Hyatt, and Trump hotels have similarly suffered security breaches of sensitive information.
According to the Las Vegas Review-Journal, the hospitality industry is among the top three industries at great risk of security compromise, particularly threatening the card use of clients. This is because such businesses store massive amounts of personal data for their clients.