MGM Resorts International, a prominent hotel chain in the United States, has reached a substantial $45 million settlement to compensate millions of customers affected by two significant data breaches. The legal resolution comes in response to security incidents that compromised the personal information of approximately 37 million individuals in the summer of 2019 and the fall of 2023.
The data breach in July 2019 primarily exposed sensitive personal information, including names, addresses, phone numbers, and dates of birth, leading to widespread concerns about potential identity theft among the impacted customers. In contrast, the more recent breach, which occurred in September 2023, not only compromised personal data but also resulted in operational disruptions across MGM’s hotel systems. Guests faced issues with their digital room keys, while critical hotel services, such as ATMs and slot machines, encountered malfunctions, significantly affecting the guest experience.
This settlement resolves a class-action lawsuit spearheaded by Tonya Owens and filed in the U.S. District Court of Nevada. Those eligible to participate in the settlement have the opportunity to claim compensation up to $15,000 for documented losses. Additionally, tiered cash payments of $75, $50, or $20 will be available based on the nature of the compromised data. The settlement also includes a provision for one year of financial monitoring to help mitigate the risks associated with identity theft.
While MGM Resorts has opted to settle the matter, it has not admitted to any wrongdoing in relation to the breaches. The claims process is set to remain open until June 3, 2025, with deadlines for opting out or objecting to the settlement established for May 19, 2025.
Understanding the tactics and techniques involved in these breaches offers crucial insights for business owners concerned about cybersecurity vulnerabilities. Referencing the MITRE ATT&CK framework, it is possible to identify several adversary tactics that might have been employed during the attacks. The breaches likely involved elements of initial access, where attackers first infiltrate the system, along with subsequent tactics related to persistence and privilege escalation, which allow them to maintain access and control over compromised systems.
As organizations like MGM Resorts face increasing scrutiny and financial repercussions due to data breaches, it underscores the necessity for robust cybersecurity measures. Businesses must prioritize the safeguarding of sensitive data, implement rigorous monitoring systems, and cultivate a culture of security awareness among employees to prevent future incidents. As the threat landscape continues to evolve, proactive investment in cybersecurity is not only a protective measure but also a vital element of corporate responsibility and customer trust.
In conclusion, the MGM Resorts data breach saga highlights the urgent need for institutions to address cybersecurity risks comprehensively. By fostering an environment of vigilance and preparedness, organizations can mitigate the impacts of similar breaches and protect against potential identity theft that can affect millions of customers.
