MGM and Caesars hit with class-action lawsuits over Nevada cyberattacks

MGM Resorts and Caesars Entertainment have each been named as defendants in five separate class-action lawsuits filed in Nevada over the recent cyber and ransomware attacks affecting their respective US operations.

Four separate class-action complaints, two naming MGM and two naming Caesars, were filed on September 21, by a slew of legal firms on behalf of plaintiffs affected by the breaches.

The fifth, a separate class-action complaint against Caesars Entertainment was filed on September 22.

In all cases, class-action lawsuit participants are seeking injunctive relief from the pair, calling for jury trials in each respective case over the operators’ perceived failure to prevent these attacks from taking place.

MGM Resorts was hit with a massive cyberattack beginning on September 7, when hackers gained access to its network by impersonating an IT administrator and obtaining access credentials.

Hackers later locked down the MGM network preventing casino resort guests from using a variety of services ranging from ATM kiosks to room keys and Wi-Fi services. Hacker group Scattered Spider soon after took credit for the initial hack.

Later on September 14, MGM was hit again with a second ransomware attack by a group known as ALPHV in which six terabytes of personal data from the MGM Rewards loyalty program was stolen by hackers.

Fellow operator Caesars Entertainment was also targeted by hackers on September 7, suffering a similar theft of personal data from its own Caesars Rewards loyalty program, leading to the firm reportedly paying hackers $15m to prevent that data from going public.

In a filing with the Securities and Exchange Commission (SEC) detailing the breach on September 15, Caesars confirmed personal data, including driver’s license numbers and social security numbers, for a significant number of members in the database was obtained, and that it was still investigating the extent of the hack.

Suits allege that in perceptibly allowing the breaches to take place by not employing adequate protections, MGM Resorts and Caesars have failed to comply with standards laid down by the Federal Trade Commission and generally accepted cybersecurity practices.

“Caesars owed a duty to plaintiffs and class members to implement and maintain reasonable and adequate security measures to secure, protect, and safeguard their PII [personal data] against unauthorized access and disclosure,” one of the suits stated.

“Caesars breached that duty by, among other things, failing to implement and maintain reasonable security procedures and practices to protect plaintiffs’ and class members’ PII from unauthorized access and disclosure.

“As a result of Caesars’ inadequate security and breach of its duties and obligations, the data breach occurred, and plaintiffs’ and class members’ PII was accessed and disclosed. This action seeks to remedy these failings and their consequences.”

In addition to the main claims made, the suits allege that Okta, a cybersecurity entity providing services to both operators, had warned of a “consistent pattern” of social engineering attacks against IT service desk personnel by hackers, encouraging the resetting of passwords, which would allow hackers to penetrate systems.

Negligence, breach of contract, and so-called unjust enrichment are also cited by plaintiffs and in Caesars’ case, a separate violation of Illinois consumer protection laws.

The suits also draw attention to the increased likelihood of ongoing identity theft by hackers using individuals’ personal data stolen as part of the original hack.

MGM and Caesars have not commented publicly since the breaches beyond a statement from MGM confirming its return to normal operations on September 21, and the prior Caesars SEC filing detailing the breach on September 15.