Personal Details Of 10.6M MGM Hotel Guests Posted On A Hacking Forum – Cybersecurity Experts React

Free Services to help you during COVID-19 Learn More

Support Request a Demo Contact Us Blog
By Security Experts | Information Security Buzz »

Cybersecurity experts commented tonight on breaking news that the personal details of more than 10.6 million users who stayed at MGM Resorts hotels have been published on a hacking forum this week. Besides details for regular tourists and travelers, included in the leaked files are also personal and contact details for celebrities, tech CEOs, reporters, government officials, and employees at some of the world’s largest tech companies.

EXPERTS COMMENTS

Peter Draper
Peter Draper, Technical Director, EMEA, Gurucul | February 21, 2020

There is much “talk” about Zero Trust strategy.

Unfortunately, users’ data being exposed and made available to a wide range of bad actors is so commonplace in today’s connected world.

Organisations who hold any personal data of their customers must really improve their protection of such data.

There are technologies available today which can be used in a multifaceted security strategy. There is much “talk” about Zero Trust strategy. Organisations need to be taking action to move towards this as a priority. Security Analytics and Automation will provide the right foundations for delivering on Zero Trust and provide better security for their customers’ data as well as the organisations critical data and Intellectual Property.”

 

Tal Zamir
Tal Zamir, Founder and CTO, HYSOLATE

The biggest gap relates to users and their devices.

This is yet another example of attackers having the upper hand. Defenders have to protect a huge attack surface with multiple points of failure. The biggest gap relates to users and their devices. With over 5.7 million source code files and 50+ million lines of code (estimate), it’s almost impossible to successfully defend the operating system (OS) running on a user’s device. For this very reason, Microsoft is now recommending that users leverage an isolated and dedicated OS to conduct sensitive or privileged tasks, and another isolated OS to conduct their daily corporate/personal tasks. There are two ways to accomplish this – physical air gaps via two physically separated devices, or, virtual air gaps which leverage virtualization to isolate two or more operating systems on one physical device.

 

Ed Macnair
Ed Macnair, CEO, CENSORNET
February 21, 2020

The most likely form of attack we will see is impersonation attacks.

Cloud servers have been a consistent feature in many of the biggest data breach stories we have seen recently. In this case, it appears that criminals gained unauthorised access, which allowed them to extract data such as names, addresses, and passport details. It’s a stark reminder of the risk that comes with cloud transformation – in the past this data would have been held on the hotel’s own servers. In many ways, moving to the cloud has eroded the traditional perimeters that protected data, so companies need to make sure they have new security practices for the cloud.

Now this data has been stolen, and published on a hacking forum, criminals will be looking at how they use it to launch a new spate of attacks. It isn’t financial information, so they can’t cash it in right away, but the personal data of high profile individuals has its own value. The most likely form of attack we will see is impersonation attacks. Executives and CEOs who have had their data stolen should be asking if their organisation’s security is capable of defending against impersonation attacks, and must alert their companies to be on the lookout for any communications that may be using their personal details to impersonate them.

 

Patrick Martin, Senior Threat Intelligence Analyst, SKURIO February 21, 2020

Setting up email listeners for these watermark identities can detect a breach before the data is shared online.

Cloud-based servers should be regularly checked for who has read and write permissions and be modified accordingly, as appropriate. For a bad actor to access or exfiltrate data they need credentials or to take advantage of an ‘open door’ which has been left unlocked. BinaryEdge, Shodan and many other tools make it easy to find these open containers. This sort of activity can be thwarted just by regularly checking those correct permissions are in place. However, for those instances when the security has been bypassed there are mitigating steps organisations can take to monitor for data that’s being breached, discussed, shared or sold: by proactively monitoring for leaks or misuse of the data stored in publicly accessible databases or, in MGM’s case, the dark web.

This incident also highlights the importance of speed when mitigating digital risk; watermarking data with unique synthetic identities can enable organisations to detect these threats immediately and be the first to find out if their data is available online, before someone else does. Setting up email listeners for these watermark identities can detect a breach before the data is shared online, if the hacker is testing for valid addresses.

 

Becky Nicholson
Becky Nicholson, Data Privacy Consultant, BRIDEWELL CONSULTING February 21, 2020

Such employee awareness training can also be measured by regular phishing or red team assessments.

We are in danger of becoming numb to data breaches, due to the frequency and scale they are being reported. All organizations must take steps to protect their systems and ultimately customer data. This means taking basic steps such as putting in place regular security assessments, a strong patching and password policy, and enforcement of multi-factor authentication on every public-facing system. These are not silver bullets but can go a long way to improving security.

At this stage, it’s not clear how the hacker managed to gain access to MGM’s cloud server. However, technical defense is still paramount, and in particular, regular penetration testing is vital. It’s also just as important to test employee awareness. Employees will always be the weakest link but with the right education can be an organization’s biggest asset in terms of defense. Such employee awareness training can also be measured by regular phishing or red team assessments.

 

Robert Ramsden
Robert Ramsden Board, VP EMEA, SECURONIX | February 21, 2020

Affected individuals should be hyper aware of any suspicious communications and be vigilant.

Given the sensitive nature of the information exposed in this leak, and the fact that this database has been discovered on a criminal hacking site, the security and privacy consequences for those whose data had been exposed could be huge. Individuals affected will incur a heightened risk of experiencing threats such as identity theft and phishing scams. Affected individuals should be hyper aware of any suspicious communications and be vigilant.

In order to protect sensitive information, enterprises should ensure that they are using the latest security tools to isolate and mitigate anomalous behaviour in their networks before it has catastrophic consequences.

 

Sam Curry
Sam Curry, Chief Security Officer, CYBEREASON | February 21, 2020

With upwards of 11 million customers impacted by this latest breach.

The latest news from MGM shouldn’t come as a surprise: the hospitality industry has a target on its back given the treasure trove in its systems. Hackers derive enormous value for what’s called Beds-and-Heads, the logistical information that allows the inference of material information across the board. With upwards of 11 million customers impacted by this latest breach, we have yet another reminder that cybercriminals are persistent, and it is only a matter of time before determined nation-states or rogue hacking groups find a way into any network they choose. It’s tempting to look at the MGM as less significant than the Marriott breach, which affected 500 million customers, but smaller breaches are no less serious than larger for the victims.

The biggest concern in the MGM disclosure is that hackers stole deeper, more sensitive data on 1300 individuals, including information off driver’s licenses and military ID cards. While it is too early to speculate, there is the possibility the theft that appears to have impacted 11 million customers is a diversion for a specific, strategic attack to access information on influencers in government, law enforcement, politics and the public and private sector. That’s not to say that the larger set isn’t suffering but rather that their suffering is a callous digital ‘collateral damage’ covering the more focused and motivated compromise like an assassin throwing a grenade into a crowd on a busy street to cover their true intention.

Cybereason’s recent investigation into a massive global espionage campaign against 10 telecommunications companies, dubbed ‘Operation SoftCell,’ highlights the desire that China and other nation-states have to track the whereabouts of influencers across the world without regard to losses of innocent, violated by-standers. The most troubling outcome is that none of the victims are aware they are being tracked. Going forward, expect more targeted, strategic attacks to become the norm and more digital collateral damage by callous, motivated aggressors.

 

Jonathan Knudsen
Jonathan Knudsen, Senior Security Strategist, SYNOPSYS | February 21, 2020

A proactive approach means thinking about security at every phase of the design and implementation of systems.

If we’ve learned anything from decades of data breaches, it’s that any organisation can be a target. Information has always been valuable, but now that it is falling-off-a-log easy to duplicate and transmit vast volumes of information, protection for data needs to evolve.

Taking a proactive approach to security is the best way to reduce the risk of unpleasantness. A proactive approach means thinking about security at every phase of the design and implementation of systems. One valuable activity in the design phase is threat modeling, in which you examine the system design and imagine various ways an attacker could compromise it. Based on the results of that threat model, update the design with security controls that help mitigate the risk of attack.

Using threat modeling, for example, could reveal that a compromise of a database server would reveal all its contents. Armed with this knowledge, you might implement a defense-in-depth approach to protecting your data by implementing tighter access control and encrypting the database or (better yet) encrypting individual records. Any system can be compromised, but the goal is to make the cost of breaking in greater than the possible rewards.

 

Matt Walmsley
Matt Walmsley, EMEA Director, VECTRA | February 21, 2020

As organizations increasingly use the cloud to underpin digital transformation.

MGM has acknowledged a cloud “server exposure”. This could have easily been caused by poor cloud configuration and security hygiene, or from offensive attacker behaviors. As practitioners, we need to stop treating cloud separately from a security perspective.

As organizations increasingly use the cloud to underpin digital transformation, it is critical that security operations teams have the ability to pervasively detect and respond to attacks and unauthorized access wherever they happen. Attackers don’t operate in silos of local mobile, network, data centers, or cloud – neither should our security capabilities.

 

Niels Schweisshelm
Neils Schweisshelm, Technical Program Manager, HACKERONE | February 21, 2020

When customers are made aware that their details may have been exposed.

When customers are made aware that their details may have been exposed, they must also take responsibility to update passwords that they might be using on multiple sites and stay vigilant for potential scams.

While the cloud has many benefits, when moving to the cloud, it’s important that developers have a clear change management process in place when pushing data to a live environment as the most impactful bugs affect cloud platforms, with incorrect configurations leading to information disclosure vulnerabilities that can be used to obtain sensitive information.As in this case, no matter how dedicated your internal team, they aren’t always looking at security in the same way an external attacker would and, therefore, the best way to augment your existing resources is to engage ethical hackers who will be running the same checks as the criminals, reporting any vulnerability, such as mis-configured cloud storage volumes leaking sensitive data. It used to be that you had to notify cloud providers before you could run a security test, letting them know the pentester’s details, the date of testing, and the time frame. However, this no longer applies, and it’s easy to have cloud-hosted environments in scope for security testing.

 

Jake Moore
Jake Moore, Cybersecurity Specialist, ESET | February 21, 2020

Attackers can then change two-factor authentication (2FA) codes and get into online accounts bypassing passwords.

This sort of data is a honey pot for cyber criminals. When personal information such as this is leaked it becomes very sought-after, especially when it includes contact details for a number of high profile users such as celebrities. All the users on this list should now be concerned about the increased risk of further attacks such as targeted phishing emails, or worse still, falling victim to SIM swapping. This is when cyber criminals use social engineering to manipulate mobile network providers into porting your phone number to a new SIM. Attackers can then change two-factor authentication (2FA) codes and get into online accounts bypassing passwords.

 

Adam Laub
Adam Laub, CMO, STEALTHBITS TECHNOLOGIES | February 21, 2020

This is a great example of how these breaches and their fallout can continue to haunt businesses for quite some time.

This is a great example of how these breaches and their fallout can continue to haunt businesses for quite some time. It’s likely MGM thought this incident was far in the rear view, but the value of their particular dataset continues to have appeal, despite its age and the potential staleness in certain spots.

Something every organization can do to mitigate the risk of unauthorized access to sensitive data is to proactively seek its whereabouts. Knowing where it is should and often does lead to another series of important questions such as who has access to it, who is accessing it, how often is it being accessed, and is it even needed in the first place?

This sort of practice is becoming much more commonplace due to regulations such as the EU GDPR and California’s CCPA, which is a good direction for organizations to be headed in to avoid situations like these.

 

External Link: Personal Details Of 10.6M MGM Hotel Guests Posted On A Hacking Forum – Cybersecurity Experts React

Share this page:

Related Posts