MGM Resorts International has agreed to pay $45 million to settle a data breach lawsuit stemming from cybersecurity incidents in 2019 and 2023 that exposed the personal information of 37 million people.
The 2023 ransomware attack also affected other recreation facilities, including Caesar Entertainment and was claimed by the Russian ransomware gang Scattered Spider.
A federal judge in the U.S. District Court for the District of Nevada approved the preliminary settlement pending final confirmation.
MGM approves a $45 million data breach lawsuit settlement
Class members of twenty-two consolidated lawsuits will receive tiered payments of $75 for leaked Social Security Numbers or military IDs, $50 for passports or driver’s license numbers, or $20, depending on the nature of the information leaked. However, the data breach lawsuit class members who can prove additional losses can claim up to $15,000 in compensation.
For most victims, the data breaches leaked customer names, phone numbers, email addresses, dates of birth, addresses, and passport numbers.
Hackers also stole driver’s license numbers, military ID numbers, and Social Security numbers during the 2023 ransomware attack that shut down ATMs and slot machines in Las Vegas. Cybercrime gang Scattered Spider claimed responsibility for the attack and leaked the stolen information online.
FTC investigations ongoing
However, the recent data breach lawsuit settlement might not be the last for MGM as the Federal Trade Commission is still investigating how it handled the 2023 ransomware attack. The then-FTC chair Lina Khan and senior aides were guests at the resort when the attack occurred and witnessed the disruption firsthand.
Nonetheless, the resort has filed a petition to quash or limit the probe. It said Khan’s presence at the resort deprives it of the right to due process, thus urging her to recuse herself from the case.
The FTC rejected MGM’s request to remove Khan from the probe, given that she personally experienced the attack. Khan was later replaced by a new FTC chair Andrew N. Ferguson after Trump returned to the White House. Thus, her role in the probe might be inconsequential to the right of due process. She could now be a witness or civil plaintiff, as MGM had previously suggested.
MGM also claimed that the FTC requested over “100 categories of information” spanning multiple years before the attack, which the resort says is irrelevant to the case.
Additionally, MGM stated that it was cooperating with law enforcement authorities to identify and prosecute the culprits, of whom five suspected Scattered Spider ransomware gang members were arrested. Similarly, the recent data breach lawsuit settlement could highlight its willingness to support the victims.
The attack cost MGM $100 million, and the $45 million data breach lawsuit settlement only compounds its losses. The FTC probe could also result in another settlement with additional requirements, such as implementing cybersecurity measures to prevent similar data breaches in the future.
In October 2024, hotel chains Marriott and its subsidiary Starwood reached a $52 million data breach settlement to conclude an FTC investigation into a string of cyber incidents that leaked the personal information of over 340 million people.
They also agreed to implement a comprehensive security program within 180 days that enforces multi-factor authentication, allows data deletion requests, and requires data breach reporting within ten days. That program will run for two decades, resulting in continuous cybersecurity spending.
Seemingly, data breach lawsuit settlements and regulatory actions will force organizations to prioritize cybersecurity to protect their customers’ personal information.
