July 15, 2020

142M MGM guests exposed in data breach

hackerA hacker has put the information of more than 142 million MGM hotel guests up for sale on a cybercrime marketplace. MGM Resorts suffered a data breach in summer 2019, but the breach wasn't reported until February when roughly 10.6 million guests' data were available for download on a hacking forum.

According to ZDNet, an MGM spokesperson said most of the data included contact information, such as names, addresses, and emails; birth dates and phone numbers were also included. Financial information, Social Security numbers and IDs were not compromised.

"The hacker claims to have obtained the hotel's data after they breached Data Viper, a data leak monitoring service operated by Night Lion Security," ZDNet reported. Data Viper advertises itself as a "threat actor intelligence research & brand monitoring platform for investigators and law enforcement."

A separate report from KrebsOnSecurity Monday revealed that Data Viper, which provides access to roughly 15 billion usernames, passwords, and other information exposed in more than 8,000 website breaches, had been hacked and its user database posted online. Krebs reported that while some of Data Viper's data is from publicly-disclosed breaches, it also collects private and undisclosed breach data.

The Data Viper breach has led to new sales threads on a dark web marketplace. Krebs noted that cybercriminals use exposed usernames and passwords to engage in "credential stuffing," which is a successful form of cybercrime "when people use the same passwords across multiple websites."

As a leader in calling for national data security standards, NAFCU has many resources available to ensure credit unions can effectively identify and address cybersecurity concerns. The association continues to urge Congress to pass national data security and privacy standards that ensure all entities protect consumers' personal data and are held accountable to the same security practices as credit unions.

The association is committed to helping credit unions stay informed of cybersecurity developments; subscribe to NAFCU Today for the latest updates.