MGM confirmed this week that the hack took place last summer. The data exposed included names, addresses, and passport numbers for former guests. MGM said it was confident that no financial information had been exposed. They could not confirm exactly how many people had been impacted because information that was exposed might be duplicated. MGM said that most of the data that was stolen was already publicly available, such as names, telephone numbers, and email addresses. However, 1,300 former guests were notified that more sensitive information including passport numbers had been revealed. A further 52,000 customers were told that less sensitive personal information was exposed. MGM said its notification to customers followed state laws. Most US states do not require companies to tell customers if data which is already public has been exposed during a hack.
This is not the largest hacking of hotel guest information. In 2017, Marriott Hotels experienced a much larger data breach exposing 500 million guests. That attack was linked to Chinese state-sponsored hackers.
www.bbc.co.uk/technews (20th February)