Pop star Justin Bieber and Twitter CEO Jack Dorsey were among 10.6 million MGM Resorts guests to have their personal information exposed in a data breach last year, according to multiple reports.
U.S. government officials were also affected by the breach, which MGM Resorts has confirmed was discovered last summer. Tech blog ZDNet was first to report the breach Wednesday evening, after working with a data breach monitoring service to verify personal details published to a hacking forum earlier this week.
Information exposed included full names, home addresses, phone numbers, emails, and dates of birth. An MGM Resorts spokesman said the company is “confident” that no financial, payment card, or password data was stolen.
MGM Resorts becomes the latest in an ever-growing line of major companies to have customers’ data compromised in a large-scale breach. Last month, Microsoft acknowledged nearly 250 million customer service and support records were exposed on the web through several unsecured cloud servers. Other recent breaches include convenience store chain Wawa, banking giant Capital One, and credit reporting agency Equifax.
In the case of Equifax, the breach cost the company close to $1 billion in a settlement in addition to an extra $1 billion required to be spent on cyber-security enhancements. Hotel chain Marriott is also facing penalties in the wake of a breach revealed in November 2018—the U.K.’s Information Commissioner’s Office intends to fine the company roughly $124 million for violations of the EU’s General Data Protection Regulation related to the incident. Marriott has appealed the fine.
Similarly, in the United States, Salesforce and retailer Hanna Andersson have been named in a potential class-action lawsuit seeking to determine if the companies violated the California Consumer Privacy Act with regard to a data breach.
MGM Resorts does the bulk of its business in Las Vegas, where it owns the MGM Grand, Mandalay Bay, and several other properties in addition to running operations for the Bellagio. The company did not reveal which properties might have been affected by the breach.
MGM Resorts said it notified affected customers in accordance with applicable state laws, as evidenced by a post on a Las Vegas message board in August. According to ZDNet, the company believes all the stolen data was old, and it has retained two cyber-security forensics firms to investigate the breach.