Updated 7/14/20 – The MGM Data Breach that occurred last summer is much larger than previously thought. According to threatpost, researchers have found 142 million personal details from former guests at the MGM Resorts hotels for sale on the Dark Web. The advertisement lists the guests’ personal details for more than $2,900.

Last summer, MGM Resorts disclosed an MGM data breach that affected around 10 million guests of the hotel company, including some fairly high-profile clients. The data, which included names, addresses, phone numbers and email addresses appears to have not included sensitive things like payment card information or Social Security numbers. However, that does not mean the information is useless, and it certainly has not stopped hackers from posting the stolen data for sale on the Dark Web.

There are a few different reasons why hackers might target a company or website. They might want to steal information, such as in the case of the MGM data breach, or install malicious software on the company’s servers. They might simply want the “credibility” of breaking into a secure site and bragging about it later, or even the ability to protect the public, as in the case of “white hat hackers” who infiltrate a company in order to show them their own defense weaknesses.

In the case of the MGM data breach, the goal seems to have been profit. The database of information—which included records that claim to belong to Justin Bieber, Twitter CEO Jack Dorsey, U.S. government officials and even a Secret Service agent—has now been discovered for sale online.

What can criminals do with this stolen information once they buy it from the hackers? After all, it does not contain any permanent identifiers or financial account records.

The end goal for this kind of sale is to grab up the email accounts and use them for targeted spam. It could be the annoying kind of spam that floods your inbox with ludicrous consumer offers, but it could also be the dangerous kind. For example, if the hacker wants to infiltrate a government computer, they might send an email with an embedded virus to a former guest with a .gov email address. In order to get the recipient to click the link, the email just has to look like it came from MGM Resorts—or another company the person does business with—and offer some plausible reason why the recipient should open the file.

From there, the malicious software, virus or even ransomware can be installed on the victim’s computer, and then the senders can move forward with whatever plan they intend.

In order to protect yourself from this kind of attack, there are some things you can do to be more proactive. No one can prevent every cyberattack, of course, but you can at least try to slow the bad guys down.

  1. Throwaway email account – Establish an email account that you use specifically for things like booking travel, online shopping or even signing up for gaming apps. There is no reason to use your work email or “official” email for those kinds of activities.
  2. Develop good habits – Never click a link, open an attachment or download a file that you were not specifically expecting. Even if it looks like it comes from someone you know or a company you do business with, it could be spoofed and therefore could be harmful.
  3. Stay up to date on data breaches – Any time there is a data breach and you are informed that your information may have been compromised, that should serve as another reminder that a wave of spam or fake emails is coming your way. Be on the lookout for anything unusual and stay away from those embedded dangers.

For more information on data breaches like the MGM data breach and what they could mean to you, go to idtheftcenter.org and check out the free Breach Clarity tool that helps consumers understand their risks and take the proper steps to protect their identity.

You might also like…