MGM Resorts International has reached a settlement agreement of $45 million to address multiple class action lawsuits stemming from a significant data breach in 2019 and a ransomware attack that occurred in 2023. This agreement was announced in a federal court in Las Vegas on January 21, with a final approval hearing set for June 18.
In legal documents submitted to the U.S. District Court of Nevada, attorneys representing the victims reported that the cyberattacks compromised the information of over 37 million customers associated with MGM Resorts International. The 2019 breach involved hackers accessing sensitive data such as names, addresses, and passport numbers of MGM casino guests, while the ransomware attack in September 2023 expanded this threat, exposing additional personal information including driver’s license numbers, military ID numbers, and Social Security numbers.
This settlement is the result of 14 consolidated class action lawsuits, which underwent extensive mediation before an agreement was finalized on October 31. Victims will receive compensation through a tiered payment structure, with those affected most severely receiving $75, while others will see payments of $50 or $20 based on the nature of the stolen information. Additionally, individuals who can document losses related to identity theft as a consequence of these breaches may claim up to $15,000.
The settlement funds will also cover legal fees, the administration of payouts, and identity theft protection services for affected individuals. Notably, following the 2019 breach, personal information belonging to 10.6 million individuals was publicly leaked on a hacking forum, illustrating the serious ramifications of these cybersecurity incidents.
The ransomware attack in 2023 had severe operational impacts, leading to widespread disruptions across Las Vegas, where systems managing slot machines, hotel room keycards, and ATMs were rendered inoperable for days. Guests struggled to find alternative accommodations as hotels could not process credit card transactions, and casino staff were compelled to manually calculate slot machine results.
The cybercriminals linked to this attack are associated with the now-defunct BlackCat/Alphv group, which has since claimed responsibility. MGM Resorts has indicated, through regulatory disclosures, an estimated financial impact of approximately $100 million as a consequence of the incidents.
Currently, the company is still under investigation by the Federal Trade Commission concerning the ransomware attack, further complicating the aftermath of these breaches. Business owners, especially in the hospitality and entertainment sectors, ought to heed this development as a cautionary tale about the critical importance of cybersecurity measures.
The nature of these attacks aligns with various tactics identified in the MITRE ATT&CK Framework. Initial access techniques may have facilitated the breaches, potentially through phishing or exploitation of software vulnerabilities. Persistence and privilege escalation tactics could have allowed hackers to maintain access and escalate their control during the ransomware incident. With the increasing sophistication of cyberattacks, it is crucial for organizations to implement robust cybersecurity protocols to safeguard sensitive data and prevent similar breaches in the future.
