Overview
Cohen Milstein represents plaintiffs nationwide in a consolidated class action against MGM Resorts International for allegedly failing to implement reasonable data security practices, thereby allowing the personal information of MGM Resorts hotel guests and customers to be stolen in two massive data breaches in July 2019 and September 2023.
Plaintiffs alleged that because MGM Resorts failed to implement reasonable data security practices, MGM customers’ personally identifiable information (PII), including addresses, driver’s license numbers, social security numbers, passport numbers, phone numbers, email addresses, dates of birth, and other information, were stolen as a result of the two data breaches. Some of the information was subsequently posted for sale on online forums.
Important Rulings
- On January 22, 2025, Judge Gloria M. Navarro of the United States District Court for the District of Nevada preliminarily approved a $45 million global settlement against MGM Resorts.
- On November 3, 2022, the court denied the bulk of MGM Resorts’ motion to dismiss in this consolidated data breach class action.
- On February 1, 2021, Cohen Milstein’s Douglas J. McNamara was court-appointed Co-Lead Interim Class Counsel.
Case Background
Originally filed on March 13, 2020, Cohen Milstein’s clients and other plaintiffs allege that MGM Resorts International, a global hospitality, entertainment, and resort company, which operates properties across the U.S. including the Bellagio, Mandalay Bay and MGM Grand, failed to implement reasonable data security practices to protect MGM customer personally identifiable information (PII), including addresses, driver’s license numbers, passport numbers, phone numbers, email addresses, and dates of birth, and other information.
On or about July 7, 2019, an unauthorized individual gained access to MGM’s computer network and proceeded to exfiltrate the PII of MGM’s customers. In February 2020, it was reported that PII of 10.6 million guests was stolen. In July 2020, ZDNet reported that the PII of more than 142 million guests was stolen. On more than two separate occasions, the stolen PII was posted for sale on online forums.
Then on or about September 7, 2023, in a separate cybersecurity incident, unauthorized individuals accessed MGM’s network by impersonating and information technology administrator thereby gaining access to tens-of-millions more PII.
MGM’s Privacy Policy informed customers that MGM would protect their data. Moreover, the hotel industry is a particularly desirable target for hackers given the types of PII that hotels acquire from guests. Despite those facts, Plaintiffs claim, MGM failed to implement reasonable security practices. As a result, Plaintiffs claim, they and similarly situated individuals are at imminent, immediate, and continuing risk of harm from identity theft and fraud.