January 27, 2025
The deal would resolve a consolidated class-action over two cyberattacks, one of which cost the resort operator $100 million
A federal court gave preliminary approval to a $45 million settlement in a consolidated class-action lawsuit brought against MGM Resorts International for data breaches in 2019 and 2023.
Hackers broke into the resort operator’s systems twice, according to the suit filed in the U.S. District Court of Nevada, which combined two class-action lawsuits over separate breaches into one complaint. In July 2019, a hacker stole data including sensitive information such as driver’s license numbers, passport numbers and customer addresses.
Then in September 2023, MGM was attacked again, this time with ransomware, in an incident that disabled the resort operator’s key systems for several days— including those to hotel rooms—as well as taking gaming machines offline. The suit claims the hackers gained access to customer information during the attack, estimating that around 37 million people were affected by both attacks.
The suit alleges MGM failed to implement data-security practices, resulting in the breaches. MGM declined to comment.
The 2023 attack effectively shut down some of the biggest casinos on the Las Vegas Strip at the height of the summer season, costing MGM about $100 million. The company said in an October 2023 filing with the U.S. Securities and Exchange Commission it expects insurance to cover the costs.
Read MGM Agrees to Pay $45 Million to Settle Data-Breach Lawsuit.