MGM Resorts International has settled a class-action, data-breach lawsuit over two prior cyberattacks, according to a report from the Wall Street Journal.
A federal court gave initial approval to a $45-million settlement to resolve allegations that MGM failed to protect personal information for millions of customers in two separate data breaches in 2019 and 2023.
The suit, which combined two class-action lawsuits into one complaint, was filed in the U.S. District Court of Nevada and alleged that MGM failed to implement any data-security practices, which could have possibly prevented those attacks from happening.
A look back
Back in July 2019, hackers stole customer data that included customer addresses, driver’s licenses, and passport numbers. More than four years later in September 2023, MGM was yet again hacked, but in a different way, by ransomware. The attack disabled MGM's key systems for several days, affecting those already in hotel rooms and took gaming machines on the casino floor offline. Customer info was also taken in the attack.
The 2023 attack froze some of the biggest casinos on the Las Vegas Strip from operating, costing MGM up to $100 million right in the heart of the summer season. Both of the attacks affected around 37 million people.
A month after the latest attack, MGM said in an October 2023 filing with the U.S. Securities and Exchange Commission it expected insurance to cover the costs.
What will customers receive?
The reported settlement would provide compensation for any customers affected, based on the severity of what information was stolen.
For example, if a customer had their Social Security or military ID numbers stolen, the individual would be entitled to up to $75. If someone’s driver’s license or passport ID numbers were taken, the individual would get $50.
Any customers who can prove harm caused by either data breach could claim up to $15,000.
Final approval of the preliminary deal is expected in June.
