MGM Resorts International Required by Court to Pay $45 Million Settlement in 2023 Cyber Attack
A class action suit that was brought to the US District Court in Nevada against MGM Resorts International has been granted a $45 million settlement for the cyber attack in September of 2023. The plaintiffs argued that MGM Resorts was negligent when it came to its cybersecurity protocols, which put the guests' personal information at risk and their personal data compromised.
The US District Court for the District of Nevada has granted approval for a $45 million settlement in a lawsuit filed against MGM Resorts International following a series of cyberattacks that exposed sensitive customer data. The settlement addresses claims stemming from two major cyber incidents: the September 2023 ransomware attack and a prior July 2019 breach that compromised millions of customers' personal information.
Cybersecurity failures and plaintiffs' claims
Plaintiffs in the class action alleged that MGM Resorts failed to implement adequate cybersecurity protocols, leaving customers’ personally identifiable information vulnerable to exploitation. Counsel for the plaintiffs emphasized that these lapses exposed sensitive information such as Social Security numbers, military IDs, passport numbers, and driver's license details.
The plaintiffs' attorneys, Cohen Milstein Sellers & Toll PLLC, asserted that MGM's insufficient cyber defenses contributed to both breaches. Notably, cybersecurity ratings firm BitSight had previously given MGM a cybersecurity grade of 'F' before the September 2023 attack, highlighting vulnerabilities in the company's defenses.
Financial relief for victims
Under the settlement terms, significant financial relief and support measures have been offered to those affected by the breaches.
Cash payments:
Class members whose military identification numbers or Social Security numbers were exposed are eligible for $75 payments in cash, while those whose passport or driver's license numbers were compromised can claim $50.
Identity theft protection:
All affected individuals are entitled to opt for credit monitoring and identity theft protection services, providing an additional layer of support for victims concerned about long-term impacts on their personal and financial security.
Tiered compensation for documented losses:
In cases of severe harm, victims can claim up to $15,000 to cover documented losses, including legal fees, identity theft, and the costs of credit repair. To qualify, victims must provide reasonable documentation of losses directly linked to the breaches and attest to these under penalty of perjury.
MGM's cybersecurity challenges
The September of 2023 cyberattack, executed by a hacker group known as 'Scattered Spider,' temporarily disrupted MGM's casino and hotel operations, resulting in estimated losses of $100 million and an additional $10 million in one-off costs. The incident added to MGM's history of cybersecurity struggles, including a 2019 breach that exposed the data of 10.6 million customers and a BetMGM data breach disclosed in December 2022.
Douglas McNamara, the co-lead counsel and a partner at Cohen Milstein, noted that the entertainment and hotel sectors are particularly attractive targets for cybercriminals due to the sensitive data they handle. McNamara is also involved in a class action suit against Caesars Entertainment, which suffered a ransomware attack in 2023 from the same hacker group. Caesars reportedly paid as much as $30 million to the hackers to prevent further disruption, a strategy MGM did not pursue.
Fallout and industry implications
The fallout from the attacks emphasizes the growing threat of cybercrime in the hospitality industry. MGM's decision to follow FBI protocols by refusing to pay the ransom resulted in operational losses but also highlighted the challenges companies face when navigating ransomware attacks. The class action settlement serves as a stark reminder of the importance of robust cybersecurity measures, particularly for organizations handling sensitive customer data. It also sets a precedent for financial accountability in cases where companies fail to safeguard such information effectively.
As cyber threats evolve, businesses in the hospitality and gaming industries face increasing pressure to strengthen their defenses. The resolution of the MGM class action provides a measure of closure for victims but also raises questions about the adequacy of cybersecurity practices across the sector.
With the preliminary approval of this $45 million settlement, affected customers are now one step closer to receiving compensation for their losses. The settlement not only provides financial relief but also emphasizes the necessity of adopting stringent cybersecurity protocols to prevent future breaches.
Casino news









