MGM Resorts hack exposed personal details of 10.6m guests

20 Feb 2020

Image: © Studio Barcelona/

Justin Bieber and Twitter’s Jack Dorsey are believed to be among the former guests affected by the MGM Resorts hack, according to a report from ZDNet.

The personal data of 10.6m former MGM Resorts guests was exposed and posted on an online hacking forum, according to a report from ZDNet.

Along with regular tourists and travellers, the hack also reportedly leaked personal and contact details of celebrities, CEOs, reporters, government officials, and employees from some of the world’s largest tech companies.

ZDNet said it verified the authenticity of the data with a security researcher from Under the Breach, a soon-to-be-launched data breach monitoring service. MGM Resorts confirmed the breach and said it stemmed from security incident that took place last year, where MGM’s security team discovered unauthorised access to a cloud server.

The hotel chain said it promptly notified all impacted guests and is confident that no financial, payment card or password data was affected.

ZDNet reported that Twitter CEO Jack Dorsey, pop star Justin Bieber, and DHS and TSA officials are some of the big names Under the Breach spotted in the leaked files, however MGM has not confirmed these details.

The data affected does not contain information from guests who stayed at the resorts after 2017, according to MGM and ZDNet. At the time of publication, MGM Resorts had yet to respond to a request for comment from

Not the biggest breach in the hotel industry

While this latest data breach is significant and has affected millions of guests, it’s not the biggest breach to occur within the hotel industry.

In 2018, Marriott International revealed it had suffered a massive data breach affecting personal records of up to 500m customers. The New York Times subsequently reported that the cyberattack was linked to a Chinese intelligence-gathering operation, which also targeted security clearance files of millions of American citizens, as well as major US health insurers.

In July 2019, the UK’s data protection authority confirmed it intended to fine the Marriott nearly £100m in relation to the breach for GDPR infringements. The authority said Marriott had failed to undertake sufficient due diligence when it acquired Starwood and should have done more to make sure its IT systems were secure.

Updated 4.05pm, 20 February 2020: Since the initial publication of this article, MGM Resorts responded with a statement confirming unauthorised access to a cloud server that contained a limited amount of information for certain previous resort guests. The company added that it has since strengthened the security of its network to prevent this from happening again.

Jenny Darmody is the deputy editor of Silicon Republic