MGM Resorts International will pay $45 million to settle a class action lawsuit resulting from the 2023 cyberattack against its properties and an earlier 2019 incident. The lawsuit sought to hold MGM liable for the data breaches that exposed the information of “tens of millions” of its customers.
The United States District Court of Nevada issued its preliminary approval for the proposed settlement last week.
How the MGM lawsuit came about
Court documents filed on Jan. 22 detail the circumstances that led to the Nevada district court’s decisions.
MGM suffered a high-profile breach in 2019. Hackers download “certain customer data” of around 37 million MGM hotel guests. That data included:
- Names
- Addresses
- Telephone numbers
- Email address
- Birth dates
- Passport numbers
In the wake of that breach, MGM faced eight class action lawsuits. The ensuing four years resulted in a legal back-and-forth that resulted in the 2019 lawsuit being lumped in with the 2023 lawsuit for a joint mediation.
The 2023 lawsuit arose after another data breach in September of that year. Hackers posed as an IT administrator to get access to MGM’s network. The hackers froze the network and stole the information of around 37 million MGM customers and guests. The information obtained during this hack was more varied than the 2019 attack. Hackers had access to:
- Names
- Addresses
- Telephone numbers
- Email addresses
- Birth dates
- Driver’s license numbers
- Passport numbers
- Military identification numbers
- Social Security numbers
The 2023 breach was a highly publicized one, as the hack took MGM casino slot machines offline and sent the hotel chain’s check-in process into chaos.
These breaches did not impact BetMGM. The operator’s online casino and online sportsbook operated with disruption during these incidents.
MGM apologizes for 2023 breach
In the wake of the 2023 attack, MGM Resorts CEO Bill Hornbuckle released a letter to the public explaining what happened and what MGM was doing about it.
He noted that MGM was offering free identity protection and credit monitoring services to anyone who received an email from MGM alerting them to the breach.
“I’m grateful to our employees for their resilience and dedication during this time,” Hornbuckle wrote. “On behalf of everyone at MGM Resorts, I wish to also thank our customers for their loyalty and patience as we worked through this complex matter. We regret this outcome and sincerely apologize to those impacted. Your trust is paramount to us.”
MGM estimated it lost $100 million from the breach, according to local news outlets.
Breach victims could receive up to $15,000 or more
According to the terms of the preliminary approval, victims of the data breach could receive payouts of up to $15,0000. The approval also calls for a small payment to victims ranging from $20 to $75 based on the extent of a victim’s loss.
Additionally, the court said MGM’s victims could receive identity theft protection, credit monitoring, and $1 million of fraud and/or identity theft insurance for one year.
What’s next for the MGM lawsuit?
According to court documents, there will be a final approval hearing about the details of the settlement. The court will review five aspects of the case before granting final approval:
- To determine if the settlement the parties agree on is “fair, reasonable, and adequate”
- To decide if the settlement payout structure the parties agree on is “fair and reasonable”
- To decide if MGM has to pay the plaintiffs’ attorney fees
- To address any relevant issues that may have come up before the final approval hearing
- If need be, to dismiss the case
The final approval hearing is scheduled for 9 a.m. on June 18.