MGM Resorts pays out US$45m following data breaches

Over a dozen class action lawsuits faced by casino and hotel giant MGM Resorts following two cyber attacks are being settled after the company agreed to a US$45 million payout.

MGM suffered the first of the two cyber attacks in 2019, exposing the personal data of up to 10.6 million customers. Data included names, emails, phone numbers and birth dates.

While MGM said it would bolster its cyber defences, the casino giant was breached a second time in 2023 after Scattered Spider, a subsidiary of the ALPHV ransomware gang, gained access to its network through vishing (voice phishing) before harvesting legitimate credentials from the company’s Okta Agent environment, before encrypting the network and exfiltrating data.

You’re out of free articles for this month

Username or Email

Password Forgot password?

Keep me signed in on this device.

First Name

Last Name

Mobile

Organisation Type

By becoming a member, I agree to receive information and promotional messages from Cyber Daily. I can opt out of these communications at any time. For more information, please visit our Privacy Statement.

Need help signing up? Visit the Help Centre.

The incident caused disruptions and outages for weeks across the company’s casinos, costing it over US$100 million in damages.

According to class action lawyers, the two incidents affected over 37 million MGM customers, a number that has not been confirmed by the company.

According to a recent court filing, MGM agreed to a settlement of US$45 million on 21 January.

Of the US$45 million, 30 per cent will cover legal fees, while class action members can receive as much as US$75 each, depending on the data that had been stolen from them.

VIEW ALL

The settlement is set to be ruled on by a Las Vegas federal court on 18 June.

Rival casino giant Caesars Entertainment suffered a cyber incident at the same time as MGM, also as a result of the third-party attack on Okta by Scattered Spider.

Like the MGM class actions, some of the lawsuits faced by Caesars claim that the company did not adequately disclose the breaches to its customers and left them vulnerable to other potential risks.

They also suggest that the companies failed to properly secure the data of their customers and put them at risk of identity theft.

One lawsuit, representing an Illinois couple that had been members of the Caesars Rewards Program for over two decades, claimed a breach of contract with every customer whose personal data was compromised in the breach.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

You need to be a member to post comments. Become a member for free today!

newsletter

Be the first to hear the latest developments in the cyber industry.

MGM Resorts pays out US$45m following data breaches

Daniel Croft

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED