Earlier this year, it was reported that MGM Resorts experienced a data breach last summer that affected some 10.6 million people. Now, ZDNet is reporting that the breach was much larger than originally reported and implicated the data of over 142 million hotel guests. Hackers are trying to sell that data on the dark web. While it is not surprising that hackers are selling the data, it is surprising that is appears to include information from over 14 times the amount of affected individuals reported earlier this year.
What is particularly interesting is that while MGM Resorts claims to have notified all affected parties as required by law, a spokesperson confirmed to ZDNet that it knew about the scope of the breach earlier this year. What does that mean exactly? For one thing, it means that MGM Resorts does not appear to have corrected the reported impact earlier this year even though it publicly acknowledged the breach and knew it was larger than what was being reported. MGM Resorts’ decision about what it disclosed is a business decision for which we on the outside don’t have all the facts. While this could be beneficial for the company’s bottom line by avoiding the added publicity, it could be a disservice for the 142 million guests whose data was breached. Even if it was disclosed to each individual, it is easy for something like that to get lost in the noise of life. With news of breaches surfacing every week, what really makes the difference is when media coverage amplifies that signal so those affected can realize what may have happened.
Two takeaways from this news at this point: if your business experiences a breach, you should think about what you disclose to whom and why and when. There are disclosures that are required and disclosures that just make sense. MGM Resorts made a business decision here and only time will tell whether it was the right decision. You should watch this and see whether they it ends up being the right choice. The other takeaway is that if you have been a guest at any MGM Resorts property in the past, you should take this opportunity to make sure you check on your credit for any unusual activity and change any passwords you may have used relative to MGM Resorts.