MGM hack exposes data of 10 million, including government officials

The information of more than 10 million people who stayed at MGM Resorts, including data appearing to belong to government officials, was posted on a hacking forum earlier this week.

The posting of the hacked information was first reported Wednesday by the website ZDNet.

No financial data was included in the data set, which has been reviewed by NBC News. But it includes full names, birth dates, addresses, email addresses and phone numbers. The information was posted Feb. 17 to the hacking forum.

Last summer, the company "discovered unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts," MGM Resort said in a statement.

"We are confident that no financial, payment card or password data was involved in this matter. MGM Resorts promptly notified guests potentially impacted by this incident in accordance with applicable state laws," a spokesperson for the company said.

MGM's statement did not disclose which properties were affected, but the company has a strong presence on the Las Vegas Strip. Its properties there include the MGM Grand, the Bellagio, ARIA and Mandalay Bay. Some people on an online Las Vegas message board noted in August that they had been notified that their data may have been stolen in July.

MGM Resorts also said that when it discovered the issue, it retained two cybersecurity forensics firms to help with the internal investigation and to determine steps to remediate the issue.

Hacked information about Twitter CEO Jack Dorsey and pop star Justin Bieber appear to be included on the list.

Others include members of the military and people with email addresses connected to the Department of Homeland Security, the Department of Justice, the FBI and the Transportation Security Administration.

Some of the phone numbers in the data set are disconnected. NBC News has reached out to more than a dozen people on the list and verified the posted personal information was accurate. Some of those on the list are employees of NBC Universal employees, the parent company of NBC News.

NBC News spoke to one person with a U.S. Secret Service email address who was surprised to learn he had been hacked. He said MGM never notified him about to breach.

The information on the hacking forum also including information of Stephen Paddock, the man who opened fire from the 32nd floor of the Mandalay Bay Resort and into crowds at a music festival Oct. 1, 2017, killing 58 people in the deadliest mass shooting in modern U.S. history. Paddock, 64, fatally shot himself as police closed in.

Lou Rabon, founder and CEO of security company Cyber Defense Group, said the breach is "another example of why companies need to be constantly vigilant with their cybersecurity program and practices."

"MGM Resorts failed at protecting their customers' data," he said in an email, adding that the matter could reflect poorly on its reputation among the public.

MGM Resorts says that it takes protecting guest data very seriously and that it has "strengthened and enhanced the security of our network to prevent this from happening again."

There have been several large-scale hacks of companies and institutions, including a 2017 data breach at Equifax that exposed sensitive data of more than 146 million people. Among the information that was exposed in that breach were Social Security numbers. Equifax is one of the nation’s biggest credit reporting services.

Last week, the Department of Justice said that four Chinese military hackers were charged in the Equifax breach, and that they are accused of stealing the information of around 145 million Americans. The FBI concedes it is unlikely they will face prosecution.

Equifax's CEO, Richard Smith resigned in 2017 ahead of congressional hearings amid the scandal, and the credit-reporting company later agreed to pay up to $700 million to settle federal and state probes — with $425 million set aside for affected customers.

In 2018, Marriott International said that the private information of up to 500 million guests may have been accessed as part of a breach of its Starwood guest reservation database. The hotel chain said at the time that the company discovered there had been unauthorized access since 2014.

When Attorney General William Barr announced the charges against the four Chinese military hackers in the Equifax breach, he also confirmed that China was behind the Marriott hack, which was something that had been suspected by cybersecurity experts.