MGM Resorts International has agreed to a $45 million settlement to resolve multiple class action lawsuits stemming from a 2019 data breach and a 2023 ransomware attack. The settlement, confirmed in a Las Vegas federal court on January 21, will undergo a final approval hearing on June 18.
Details of the Cyberattacks
According to court filings in the U.S. District Court of Nevada, cybercriminals stole sensitive information from more than 37 million MGM Resorts customers in two separate incidents:
- July 2019 Data Breach: Hackers accessed and stole names, addresses, passport numbers, and other personal details of MGM guests.
- September 2023 Ransomware Attack: This breach exposed similar data but also included driver’s license numbers, military IDs, and Social Security numbers.
The ransomware attack in 2023 severely disrupted MGM properties, affecting slot machines, hotel room keys, ATMs, and credit card processing. Major Las Vegas hotels, including Mandalay Bay, the Bellagio, the Cosmopolitan, and the Aria, faced operational chaos, with some guests forced to seek alternative accommodations. Employees were left manually calculating slot machine payouts.
Settlement Terms and Compensation
The settlement consolidates 14 class action lawsuits filed by victims. After multiple mediation sessions, the agreement was finalized on October 31. The $45 million fund will be distributed as follows:
- Tier 1 victims: $75 each
- Tier 2 victims: $50 each
- Tier 3 victims: $20 each
Victims who can provide documentation of identity theft-related losses may receive additional compensation of up to $15,000. The settlement also covers legal fees, administrative costs, and identity theft protection services for affected customers.
Fallout from the Attacks
Following the 2019 breach, the personal data of 10.6 million MGM customers was leaked on a hacking forum. The 2023 ransomware attack, linked to the now-defunct BlackCat/Alphv gang, resulted in an estimated $100 million in losses for MGM Resorts.
Additionally, the Federal Trade Commission (FTC) continues to investigate the ransomware attack, assessing potential regulatory actions against the company.
Final Thoughts
The settlement marks a significant step toward compensating affected MGM Resorts customers. However, the breaches highlight the growing cybersecurity threats facing major corporations and the need for enhanced data protection measures.
For more updates on cybersecurity incidents and corporate settlements, stay tuned.