MGM Resorts Settles Class Action Lawsuit Over Cyber Attacks in 2019 and 2023.
MGM Resorts International has agreed to settle a class action lawsuit brought against the company following two major cyber attacks, one in 2019 and another in 2023. The settlement brings to a close a lengthy legal battle that highlighted the growing risks companies face from increasingly sophisticated cyberattacks and the privacy concerns of millions of affected customers.
The Cyber Attacks: What Happened?
MGM Resorts, a global gaming and hospitality giant, experienced two separate but severe data breaches that exposed the personal information of millions of customers worldwide.
The 2019 data breach came to light in early 2020 when it was revealed that the personal details of more than 10 million customers had been exposed online. The information leaked included names, addresses, phone numbers, and email addresses. While MGM assured the public that no payment card or password data had been compromised, the breach left a bad taste for customers who saw their data circulating on hacking forums.
The company faced public outcry again in 2023, following a ransomware attack that temporarily crippled MGM’s operations. Hackers disrupted key hotel and casino systems, forcing the company to revert to manual processes, including handwritten check ins for guests at its hotels. Reports later indicated that the attackers had accessed sensitive information, including Social Security numbers, dates of birth, driver’s license numbers, and even financial data in some cases.
Faced with mounting criticism over the repeated lapses in cybersecurity, MGM Resorts became the target of a class action lawsuit, alleging that the company failed to adequately protect customer data and implement sufficient security protocols despite clear warnings from its previous breach.
The Cyber Attacks Class Action Lawsuit
The class action lawsuit, filed on behalf of customers impacted by both breaches, accused MGM Resorts of negligence, breach of contract, and failure to secure sensitive personal information. Plaintiffs argued that the company’s cybersecurity measures were inadequate in light of the risks faced by large, high-profile organizations in the hospitality and gaming sectors, which are frequently targeted by cybercriminals.
Legal experts pointed out that the lawsuit highlighted not only MGM’s responsibility to implement robust security practices but also broader questions about corporate accountability in an era of escalating cyber threats. Businesses that collect vast amounts of personally identifiable information (PII) are legally and ethically obligated to safeguard it.
The plaintiffs sought compensation for damages, including financial losses, emotional distress, and the time and resources spent dealing with the fallout from the breaches. Critics of MGM argued that the dual incidents represented a failure to learn from the 2019 breach and adequately adapt to changing security threats.
The Cyber Attacks Settlement Agreement
While specific terms of the settlement were not immediately disclosed, MGM Resorts confirmed that it had reached an agreement to resolve the case. The settlement, expected to include a multimillion-dollar payout, will likely establish a compensation fund for those affected by the breaches. Eligible customers may receive financial restitution depending on the extent of damages suffered, such as fraudulent charges or identity theft stemming from the breaches.
The agreement also reportedly includes MGM’s commitment to strengthen its cybersecurity defenses. Sources close to the negotiations suggest that the company will undertake measures to upgrade its technology infrastructure, conduct regular third-party security audits, and train employees to mitigate risks stemming from phishing and other cyber threats.
This settlement aligns with a growing trend of corporations opting to resolve cybersecurity related lawsuits out of court. By agreeing to the settlement, MGM avoids a prolonged legal battle that could further harm its reputation and draw scrutiny into its internal practices.
Broader Implications for Cybersecurity
The MGM case is the latest in a series of high-profile cyberattacks that have exposed vulnerabilities across industries. Experts say the hospitality sector has been a particularly attractive target for hackers, given the vast amounts of personal and financial data collected by hotels, resorts, and casinos.
For companies, the MGM breaches serve as a cautionary tale of the financial and reputational damage that can result from inadequate cybersecurity. Businesses are being urged to invest proactively in advanced threat detection systems, continuous monitoring, and employee training to prevent similar incidents.
For customers, the case underscores the importance of vigilance in monitoring personal accounts and taking steps to protect sensitive information, such as adopting strong and unique passwords and enabling two-factor authentication when possible.
Moving Forward
MGM Resorts has assured its customers that it is taking accountability and implementing robust measures to prevent future breaches.
While the settlement marks the conclusion of this chapter, it is unlikely to be the end of the cybersecurity challenges faced by MGM Resorts or any other major corporation. In an age when businesses increasingly rely on technology to operate, the need for resilience against cyberattacks has never been greater.
For the affected customers, the settlement brings a measure of closure, but it also serves as a stark reminder of the risks inherent in an interconnected digital world. As corporations and individuals continue to grapple with the fallout from cybercrime, the MGM case sets an important precedent for accountability and the role of cybersecurity in safeguarding trust.
