MGM Resorts Settles Lawsuits After Data Breaches Affect Millions of Customers
MGM Resorts Settles Lawsuits After Data Breaches Affect Millions of CustomersIn a significant development for the hospitality industry, MGM Resorts has agreed to pay $45 million to settle more than a dozen class action lawsuits stemming from two major data breaches. These breaches, which occurred in 2019 and 2023, compromised the personal information of millions of MGM customers, and the settlement, which has been preliminarily approved by a federal court in Nevada, aims to compensate those affected.
The first breach took place in 2019, when hackers stole sensitive personal data, including names, addresses, phone numbers, and other details, from MGM’s systems. This stolen data was later published on a well-known cybercrime forum. The second breach occurred in 2023, when the group “Scattered Spider” reportedly launched a ransomware attack against MGM and other resorts. This attack not only caused widespread disruptions across MGM’s Las Vegas properties, including the Bellagio, Aria, and Cosmopolitan, but also led to the theft of more personal data, such as Social Security numbers and passport information. MGM reportedly suffered more than $100 million in damages from the ransomware attack.
Together, these two breaches affected over 37 million MGM customers. Although the company has not publicly confirmed the exact number of individuals impacted, the settlement aims to address the claims of those affected by the stolen data. As part of the agreement, about 30% of the $45 million settlement fund will go toward attorney fees, and the remaining funds will be distributed to class action members, with victims potentially receiving up to $75 each, depending on the nature of the data that was stolen.
The settlement comes after extensive legal battles. This case is a reminder of the growing risks businesses face when it comes to cyber threats. With the frequency of data breaches rising, companies across all sectors must take steps to safeguard their customers’ personal information and be prepared for the potential fallout when a breach occurs.
Compliance Recommendation.
For businesses, especially those in industries handling sensitive customer data, it’s crucial to prioritize robust cybersecurity measures. Regular security audits, employee training on phishing and other cyber threats, and a well-established data breach response plan can help mitigate risks and ensure a swift response in the event of an attack. Additionally, companies should review their data breach notification policies to ensure they comply with applicable state and federal regulations, which often include stringent timelines for disclosure. In light of the MGM case, businesses should also consider cyber liability insurance to help cover the costs of any potential breaches.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.