The breaches, which exposed the personal information of millions of customers, occurred in 2019 and 2023, impacting approximately 37 million individuals and revealing weaknesses in the company’s data security.
A federal court has given preliminary approval to a $45 million settlement in a consolidated class-action lawsuit against MGM Resorts International following two major data breaches. The breaches, which exposed the personal information of millions of customers, occurred in 2019 and 2023, impacting approximately 37 million individuals and revealing weaknesses in the company’s data security.
The lawsuit, filed in the U.S. District Court of Nevada, combines claims from two incidents. The first breach, in July 2019, involved a hacker stealing sensitive data such as driver’s license numbers, passport details, and customer addresses. The second breach, in September 2023, involved a ransomware attack that disrupted MGM’s hotel operations and gaming machines during the peak summer season. The attack also compromised customer data and cost MGM an estimated $100 million.
Settlement Details and Compensation
If finalized, the settlement will provide compensation to affected customers. Those whose Social Security numbers or military IDs were stolen are eligible for $75 payments, while those whose passport or driver’s license information was compromised can claim $50. All class members can also opt for identity theft protection and credit monitoring services. Additionally, individuals who can prove specific harm may claim up to $15,000 in damages.
“On behalf of millions of MGM Resort customers, I’m very pleased with this settlement,” said Douglas J. McNamara, Co-Lead Interim Class Counsel and a partner at Cohen Milstein.
“The hotel and entertainment industries are particularly desirable targets for hackers. The same hackers also attacked Caesars Entertainment in 2023.
Lawsuit and Regulatory Scrutiny
The lawsuit accused MGM of failing to implement adequate data security measures, making its systems vulnerable to cyberattacks. These breaches have drawn attention from federal regulators. The Federal Trade Commission (FTC)began investigating MGM’s handling of the 2023 attack, issuing a civil investigative demand to the company. MGM later filed a lawsuit against the FTC, alleging the agency violated its Fifth Amendment rights and misapplied rules intended for financial institutions
Pending Approval and Financial Impact
The settlement, aimed at resolving the legal challenges, is still pending final approval, expected in June 2025. MGM disclosed in October 2023 to the U.S. Securities and Exchange Commission that insurance coverage is expected to offset the financial costs of the attacks. However, the breaches’ reputational damage and operational disruptionshighlight the growing risks from cyberattacks.
The settlement agreement also includes provisions for attorneys’ fees, with plaintiff’s lawyers permitted to request up to 30% of the $45 million settlement fund.