MGM Hotel breach highlights need for sophisticated cloud security

Cybercriminals posted the information of more than 10 million customers on a hacker forum a year after the initial attack on a cloud server.

Must-Read Cloud

On Wednesday, cybercriminals posted the information of more than 10 million MGM Hotel customers on a hacker forum, exposing their personal data to thousands of criminals nearly a year after the initial breach.

In a statement to ZDNet, an MGM spokesperson said: “Last summer, we discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts. We are confident that no financial, payment card or password data was involved in this matter.”

The hackers dumped the personal details—which include full names, home addresses, phone numbers, emails and dates of birth—for 10,683,188 former hotel guests, including Justin Beiber and Twitter CEO Jack Dorsey.

TechRepublic spoke to security experts about what companies like MGM Hotels can do to avoid situations like this and protect their customers’ information.

SEE: Hybrid cloud: A guide for IT pros (free PDF) (TechRepublic Premium)

Adam Laub, CMO at STEALTHbits Technologies, said one of the biggest lessons companies should learn from the situation with MGM Hotels is the lengthy lifespan of breaches like this, where cybercriminals can hold on to information they steal for months before dumping it onto the web for wider criminal use.

“This is a great example of how these breaches and their fallout can continue to haunt businesses for quite some time. It’s likely MGM thought this incident was far in the rear view, but the value of their particular dataset continues to have appeal, despite its age and the potential staleness in certain spots,” Laub said.

“It is becoming far more commonplace for cybercriminals to hold on to sensitive data for longer periods of time, knowing that news about breaches fades from collective memory relatively quickly, especially considering the increase in frequency of breaches like this.”

John Shier, Senior security adviser for Sophos, said the MGM breach was relatively small by modern standards and did not include particularly fresh information but it was a good example of the long-tail value of stolen personal data.

Even though financial data or passwords were not leaked, individuals affected by this breach are now at higher risk for spear phishing and other social attacks, such as SIM swapping and W2 scams. Criminals can correlate this data with data from other breaches and develop a richer picture of their potential targets, he said.

The hospitality industry is of particular interest to cybercriminals because of the large amount of personal data hotels collect from customers, especially high-profile entertainers, politicians and businesspeople.

Emily Wilson, vice president of research at digital risk protection provider Terbium Labs, noted that the hospitality industry sits on a hotbed of valuable data that meets at a critical intersection of personal details, financial information and physical safety–travel data, companions, and patterns of behavior.

Any breach of personal information is serious, but things become particularly dangerous when politicians, executives, government and law enforcement officials have their data exposed.

“Having well-known individuals in the data set not only increases the risk for those high-profile figures, but also increases the risk for everyone else in the data set. Knowing that an executive or entertainer is in the mix encourages fraudsters to flock toward it and try to exploit it, and everyday consumers face the fallout from that attention,” Wilson said.

“Hospitality is a unique industry for digital risk because many travelers are as likely to book travel with their corporate data as they are with their personal information. For international organizations with a high travel budget, companies with a large presence at events, or for arms of business that demand frequent travel for advisory staff, their corporate contact details and corporate billing information gets thrown into the mix. A cybercriminal scanning through the data will notice corporate domains standing out against a sea of consumer contact details, drastically increasing the risk for phishing and business email compromise for companies caught in the fray,” Wilson added.

In addition to the dangers posed by cybercriminals, Wilson noted that breaches like this increase the pool of data available to powerful state actor groups that amass and consolidate whatever information they can.

The success of attacks like this are likely to fuel even more breach attempts on other hotels and endanger not just individuals but banks, employers and any organization customers are affiliated with or interact with.

Ekaterina Khrustaleva, COO of web security company ImmuniWeb, said the MGM breach was “comparatively insignificant in light of the exposed details” and noted that the information was not likely to be used for blackmailing. But Khrustaleva did say the information gave cybercriminals access to data that could be used in other attacks.

“We should, however, not underestimate the overall impact of the breach. It provides a wide spectrum of efficient attack scenarios for cybercriminals, spanning from spear phishing to BEC and Whaling. Victims should be cautious about any incoming messages, calls or emails. Those whose passwords or secret answers can be inferred from the compromised data need to urgently consider changing their passwords and secret questions if they have not yet done so,” Khrustaleva said.

Protecting the cloud

MGM admitted that their cloud server was attacked but have yet to release more information about what exactly happened. The MGM spokesperson told ZDNet that the company has retained two cybersecurity forensics firms to conduct an internal investigation into last year’s server exposure.

While it is still unclear how cybercriminals managed to get into the company’s cloud server, the situation highlighted the need for better cloud security as many enterprises migrate services and data to cloud platforms.

Many other security experts noted that companies cannot expect security for cloud platforms to work in the same way as other storage platforms and a recent report from cloud security company DivvyCloud found that breaches caused by cloud misconfigurations cost companies worldwide an estimated $5 trillion in 2018 and 2019.

Saumitra Das, CTO at Blue Hexagon, said hackers are now trying dozens of different styles of attack to get employees of companies like MGM to click on malicious links and give away access to critical systems.

“As you see people moving to cloud platforms like Amazon, Azure and GCP, a lot of companies are not sure of how to implement security controls. A lot of the same controls that you have on premises like firewalls don’t work the same,” Das said.

“People are migrating to the cloud and they need to have better controls there, better visibility, and that’s another space that enterprises need to focus on because attackers are not just attacking your enterprise. They’re looking at the cloud for where you may have configured things wrongly so they can steal things from there.”

Gad Bornstein, security evangelist with PerimeterX, said the hackers probably exploited data stored in cloud servers that didn’t have the highest level of protection and managed to siphon off millions of records.

“Configuration errors, malicious insiders, server hacks and client-side threats can cause data breaches. Data from breaches invariably make it to the dark web. Data from multiple breaches help bad actors execute bot-driven account takeover attacks with better success,” Bornstein said.

“For enterprises with an online presence, even if they are not part of a data breach, it is important to have bot mitigation capabilities to address ATO attacks.”

Laub added that in order to mitigate the risk of unauthorized access to sensitive data, every organization should have a keen understanding of where the most sensitive information is within their system.

“Knowing where it is should and often does lead to another series of important questions such as who has access to it, who is accessing it, how often is it being accessed and is it even needed in the first place? This sort of practice is becoming much more commonplace due to regulations such as the EU GDPR and California’s CCPA, which is a good direction for organizations to be headed in to avoid situations like these,” Laub noted.

David Cook, chief information security officer at Databricks, added that any company using public clouds needs to leverage the security tools offered by cloud companies as well as their own.

He referenced the 2019 attack on Capitol One as a good example of companies that needed to have better security services that could alert teams in the event of a multipronged attack or anomalies.

“If they had some better models on the usage of S3 and said, ‘Wow, I’m having three different services hitting my S3 that weren’t doing it yesterday,’ they would have caught the anomaly immediately and understood that they were getting hit and that some of their data was being exposed,” he said.

“Misconfigurations happen all day, so you have to assume that your data is exposed. You need to look at the asset itself that you’re trying to protect and look at what’s trying to connect, who is connecting and how often. It comes down to a basic understanding of your assets, how you’re trying to protect them and then using technology to help you. There are a lot of variables you can look at to identify a breach.”