MGM Resorts International has recently disclosed two significant data breaches, one occurring in July 2019 and another in September 2023. The resort company has reached a settlement agreement, allocating a substantial compensation fund of $45 million for those impacted by these breaches.
The data leaks involved extensive exposure of sensitive personal information belonging to customers and guests. Among the compromised data were vital identifiers such as names, addresses, telephone numbers, email addresses, dates of birth, driver’s license numbers, passport numbers, Social Security numbers, and military identification numbers. These breaches represent a severe lapse in data security, with significant ramifications for the individuals affected.
In response to the rising threat of cyberattacks, MGM Resorts implemented a proactive measure in September, executing a ten-day shutdown of their computer systems. This action was taken to protect against potential data breaches, highlighting the increasing necessity for heightened security protocols in the face of evolving cyber threats.
MGM Resorts operates a wide array of hotel properties across the United States, significantly in Las Vegas. Their portfolio includes iconic establishments such as the Bellagio, ARIA, and MGM Grand, among others, as well as locations in other states including MGM Springfield and Borgata in New Jersey. The diverse geographical spread of these properties amplifies the potential impact of data breaches on a broad consumer base.
For individuals in the United States who have had their private information compromised and received notification, the settlement provides a framework for filing claims. These individuals will receive unique identifiers enabling them to submit claims for restitution. Furthermore, any financial losses linked to the breaches, amounting to as much as $15,000, are also compensable. Claimants are instructed to provide supporting documentation, which may include receipts or bank statements, to substantiate their losses. Certain class members may also qualify for a flat cash payment without the need for extensive documentation.
In addition to these payments, all individuals who file claims will be entitled to one year of financial account monitoring, a necessary measure to help mitigate the risk of identity theft following such a breach. The tiered compensation structure offers varying amounts based on the nature of the compromised information, further emphasizing the serious implications of the data exposure.
This incident underscores the evolving landscape of cybersecurity threats facing organizations today. The tactics employed by potential adversaries in these breaches could align with several categories within the MITRE ATT&CK framework. These may include initial access strategies through phishing or exploitation of vulnerabilities, as well as persistence techniques that embed malicious entities within an organization’s systems. The necessity for robust cybersecurity measures and vigilant monitoring is paramount for organizations to protect their sensitive data and maintain consumer trust in an increasingly digital world.
The deadline for affected individuals to file claims through the dedicated online portal is set for June 3, while those wishing to opt out of the settlement or contest it may do so until May 19, 2025. The implications of these breaches and the subsequent settlement highlight the critical need for operational vigilance among business leaders as they navigate the complex realm of cybersecurity.