On Thursday morning, February 20, 2020, people in tune with cybersecurity news woke to read that the private information of almost 11 million guests that stayed at the MGM Grand hotel and casino was posted publicly on a hacking forum. Justin Bieber, Twitter CEO Jack Dorsey, Government Officials and millions of other visitors had their personal information – including active cellphone numbers – posted to a public forum in a batch of data. The effects of this hotel data leak may be even more insidious than some expect.
The last big breach of hotel data was when Marriott was compromised in 2018. It was attributed to alleged Chinese-sponsored attackers for the purposes of intelligence and perhaps ultimately coercion. Statecraft by intelligence organizations often relies on basic information such as how and where to find people. Getting this information in bulk or using it to verify existing data is a key component to building an effective intelligence program. This information leak would be quite useful for those purposes given the high-profile patrons on the list.
Because the MGM information was posted to a public forum, the perpetrators are unlikely affiliated with the Marriott breach. However, the widely-available MGM information could be just as useful to malicious parties. While sensitive information such as payment card was not included in the breach, this situation could be devastating to MGM for a long time given reputational repercussions and potential fines from privacy regulations. Despite discovering the breach and notifying customers over a year ago, MGM management is losing sleep over the breach again.
The cause of this breach was an unsecured cloud server. An unfortunately common situation, this breach illustrates how critical it is to establish and enforce effective policies around storage of data in cloud servers for your own organization and for third parties with access to your sensitive data. Cloud infrastructure is fundamentally different from traditional hosted environments. In a traditional hosted environment, it is possible to wall off your little slice of the Internet; the cloud does not have such easily definable walls. Cloud service providers often define the confines of virtual boundaries – how you verify and grant access to individual users to protect your data.
With Digital Transformation, more services and data have migrated cloud, both within organizations and outsourced third parties. The fundamentally different infrastructure of the cloud requires a fundamentally different approach to risk management. The emerging technologies described below are equipped to handle securing data in the cloud:
From a third party risk perspective, it is important to understand which of your vendors have your sensitive data and to to make sure you are comfortable with how the vendor protects this data. Perform formal assessments or have in-depth conversations about how vendors are storing and protecting your data. Vendors using CASBs properly indicate that the vendor can keep tabs on where their employees keep data. Vendors using CSPMs properly indicate the vendor is making an effort to secure the data. The mere existence of these technologies alone is not a guarantee that data is secured. Personnel need to be assigned and aware of how to manage the technologies. When assessing numerous internal and third party risks, promoting the use of CASBs, CSPMs and proprietary security solutions in cloud security can help you sleep more soundly.