MGM Agrees to Pay $45 Million to Settle Data-Breach Lawsuit

In Data Breach News, Legal News
January 28, 2025
MGM Agrees to Pay $45 Million to Settle Data-Breach Lawsuit

The Wall Street Journal reports that an end is in sight to a consolidated federal class-action lawsuit against MGM Resorts International stemming from data breaches in 2019 and 2023. A federal court has given preliminary approval to a $45 million settlement.

Hackers broke into the resort operator’s systems twice, according to the suit filed in the U.S. District Court of Nevada, which combined two class-action lawsuits over separate breaches into one complaint. In July 2019, a hacker stole data including sensitive information such as driver’s license numbers, passport numbers and customer addresses. 

Then in September 2023, MGM was attacked again, this time with ransomware, in an incident that disabled the resort operator’s key systems for several days—including those to hotel rooms—as well as taking gaming machines offline. The suit claims the hackers gained access to customer information during the attack, estimating that around 37 million people were affected by both attacks.

The 2023 attack effectively shut down some of the biggest casinos on the Las Vegas Strip at the height of the summer season, costing MGM about $100 million. The company said in an October 2023 filing with the U.S. Securities and Exchange Commission it expects insurance to cover the costs. 

Read more at WSJ. Five of those responsible for the 2023 ransomware attack, known as Scattered Spider, have been arrested or charged since then.

Even with this settlement, if approved, MGM’s legal woes are not over as it is still suing the FTC over FTC’s civil investigative demand stemming from the 2023 ransomware attack.