MGM Resorts Data Breach Lawsuits Settled - Millions of Records Stolen

MGM Resorts Reaches $45 Million Settlement Over Data Breaches

MGM Resorts, a leading hotel and casino operator, has reached an agreement to pay $45 million to resolve over a dozen class action lawsuits.

These lawsuits stem from cyberattacks that compromised the personal data of millions of its customers.

Details of the Settlement

The settlement was filed on January 21, as initially reported by The Record. A federal court in Las Vegas is set to approve the agreement on June 18.

This proposal follows two confirmed data security incidents at MGM Resorts in both 2019 and 2023.

The 2019 Data Breach

In 2019, malicious actors gained access to MGM’s systems and extracted a substantial amount of customer data.

This included names, residential addresses, phone numbers, and other personally identifiable information.

MGM publicly acknowledged the breach in 2020, following the publication of portions of the stolen data on a recognized cybercrime platform.

The 2023 Ransomware Attack

A significant ransomware attack in 2023 caused prolonged disruptions to MGM’s operations across the Las Vegas Strip.

Properties such as the Bellagio, Aria, and Cosmopolitan experienced weeks of outages.

During this attack, hackers also obtained customer personal information, including sensitive data like Social Security numbers and passport details.

MGM reported that the financial impact of the 2023 ransomware incident exceeded $100 million.

Impact on Customers

Legal representatives for the class action plaintiffs stated that the two breaches collectively impacted over 37 million MGM Resorts customers.

MGM has consistently refrained from disclosing the precise number of individuals affected; a request for comment from TechCrunch to MGM spokesperson Brian Ahern went unanswered.

Settlement Distribution

Approximately 30% of the $45 million settlement will be allocated to cover attorney fees.

Class action members may be eligible to receive up to $75 each, contingent upon the specific types of information compromised during the attacks.