MGM to pay $45 million in a consolidated class-action lawsuit settlement over data breaches  

A federal court has given preliminary approval to a $45 million settlement in a consolidated class-action lawsuit against MGM Resorts International for two major data breaches that exposed the personal information of millions of customers. The breaches, which occurred in 2019 and 2023, impacted approximately 37 million individuals and highlighted vulnerabilities in the company’s data security practices.  

The lawsuit, filed in the U.S. District Court of Nevada, combined claims from two separate incidents. The first breach in July 2019 involved a hacker stealing sensitive data such as driver’s license numbers, passport details, and customer addresses. 

Four years later, in September 2023, a ransomware attack targeted MGM’s systems, disrupting hotel operations and taking gaming machines offline for several days during the busy summer season. The attack also compromised customer information and cost the resort operator an estimated $100 million.  

The settlement, if finalized, will provide compensation to affected individuals. Customers whose Social Security numbers or military identification numbers were stolen are eligible for $75 payments, while those whose passport or driver’s license information was compromised can claim $50. 

All class members can opt for identity theft protection and credit monitoring services. Additionally, individuals who can prove specific harm caused by the breaches may be eligible to claim up to $15,000 in damages.  

“On behalf of millions of MGM Resort customers, I’m very pleased with this settlement,” said Douglas J. McNamara, Co-Lead Interim Class Counsel and a partner at Cohen Milstein. “The hotel and entertainment industries are particularly desirable targets for hackers. The same hackers also attacked Caesars Entertainment in 2023.”

The lawsuit accused MGM of failing to implement adequate data security measures, leaving its systems vulnerable to cyberattacks. The breaches have also drawn scrutiny from federal regulators. The Federal Trade Commission (FTC) began investigating MGM's handling of the 2023 cyberattack, issuing a civil investigative demand to the company. MGM later filed a lawsuit against the FTC, alleging the agency violated its Fifth Amendment rights and misapplied rules intended for financial institutions.  

The settlement aims to resolve the legal challenges stemming from the breaches, but MGM may still face regulatory consequences. Final approval of the settlement is expected in June.  

In a statement to the U.S. Securities and Exchange Commission in October 2023, MGM disclosed that it anticipates insurance coverage will offset the financial impact of the attacks. However, the reputational damage and operational disruptions caused by the breaches underscore the growing risks companies face from cyberattacks.  

The settlement agreement also includes provisions for attorneys' fees, with plaintiff’s lawyers permitted to request up to 30% of the $45 million fund.