MGM to pay $45m in data-breach lawsuit settlement
Casino resort operator’s IT systems were breached in two separate cyberattacks that resulted in tens of millions of customers having their data compromised
MGM Resorts International is to pay $45m as part of a consolidated class-action lawsuit for two data breaches involving hacks, after a federal court gave a preliminary green light for the eight-figure settlement.
In July 2019, one of the casino resort giant’s cloud services was breached, with cybercriminals able to steal details of around 37 million customers, including names, postal addresses, dates of birth, driver’s license numbers, and passport numbers.
According to the settlement document released by the United States District Court of Nevada, MGM customers had their details stolen in the hack. The information was subsequently discovered posted for sale online.
Four years later, in 2023, MGM was subjected to a ransomware attack that crippled operations; key systems, including hotel rooms, were down for several days, online reservations couldn’t be processed, and gaming machines were knocked offline.
Casinos affected in the 2023 attack included those on the Las Vegas Strip – the Bellagio, the Cosmopolitan, and Mandalay Bay, as well as MGM-owned properties across the US.
The hackers gained entry to MGM’s computer systems by impersonating an IT administrator, the lawsuit claimed, and again were able to access personally identifiable information on 37 million guests.
This included much of the same kind of details compromised in the 2019 hack, as well as social security numbers in some cases.
As part of their lawsuit, the plaintiffs alleged that MGM failed to put in place reasonable data security measures.
In July 2024, customers affected by both hacks and the defendant, MGM, agreed to participate in joint mediation to come to a financial settlement.
As part of the $45m settlement, there would be tiered compensation, ranging from $20 to $75 depending on the extent of the personal data taken in the breach.
Lawyers acting for the plaintiffs can apply for as much as 30% of the $45m settlement fund.
Final approval for the deal is expected in June. EGR North America has reached out to MGM for comment.
Douglas J. McNamara, co-lead interim class counsel and a partner at attorney Cohen Milstein, which represented the plaintiffs, said the hotel and entertainment industries “are particularly desirable targets for hackers.”
He also said: “On behalf of millions of MGM Resorts customers, I’m very pleased with this settlement.”
A group known as Scattered Spider was believed at the time to have been responsible for MGM’s 2023 breach, carried out with a ransomware-as-a-service operation.
Caesars Entertainment was also the victim of a cyberattack in 2023, just weeks before MGM announced its systems had been breached.
In that incident it was reported by Bloomberg that the hackers stole data and extorted the company. The news outlet said Caesars paid “millions” to those behind the attack.