Hackers who seized personal data from more than 10 million guests at MGM Resorts last year are now trying to cash in by selling that information to the highest bidders.
Technology publisher ZDNet reports that it found personal details on the breach victims listed on a hacking forum this week. The information includes personal and contact information on guests, including well-known celebrities and business executives.
ZDNet said it has independently verified that the information seen online is authentic.
“Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts”, a company spokesman said in a statement to the media. People compromised by the hack have been notified, the company said.
MGM Resorts said it has contracted two cybersecurity forensic investigative companies to help the company fully understand how the security breach occurred. It said it has also begun beefing up its network security to prevent future intrusions.
Data breaches are racking up
The spokesman said the leaked data did not include payment information, which was included in recent hacks of convenience store chains Wawa and Rutters. The Wawa hack, affecting 30 million customers, was reported in December. By late January, much of the data was for sale on the dark web.
Hackers began advertising the card data for sale on sites known to be used by hackers. Experts at Gemini Advisory, a threat intelligence firm, said the source of the card data was confirmed as coming from Wawa.
Hackers have been able to make a handsome profit when they market stolen data on the dark web, but the sheer volume of this information has made it more difficult to find buyers in recent years.
Late last year, researchers came across a huge collection of data on a poorly guarded server and notified authorities before it could be compromised. The data belonged to consumers in Canada, the U.K., and the U.S. and included phone numbers and social media profiles. Social Security numbers, passwords, and credit card numbers were not found.