P2021-ND-136

MGM Resorts International

On or about July 10, 2019, the Organization became aware that on approximately July 7, 2019, an unauthorized third party gained access to an external cloud server (Amazon Web Services (AWS)) containing guest data. The Organization reported that, in early July, the unauthorized party obtained an employee?s credentials that had been compromised as a result of data breaches not associated with the Organization. The attacker used the compromised credentials to log in to a third party developer platform. This allowed the attacker to gain access to the data at issue for about one (1) hour. The attacker exfiltrated a data set and offered it for sale online. The Organization purchased the data from the attacker.

Categories: 2021