In a significant development following the massive data breach at MGM Resorts in 2023, victims are now able to claim their settlement payouts after a year of legal proceedings, culminating in a $45 million resolution. This breach is recognized as one of the most substantial incidents to impact the hospitality sector, occurring on September 9 of that year.
Hackers, aligned with the ALPHAHV/Black Cat ransomware group, exploited social engineering techniques to gain access to MGM’s internal systems. By deceiving an IT employee, the attackers commandeered the company’s computer networks and issued a ransom demand, which MGM staunchly declined to meet. The ensuing disruption lasted nine days, significantly affecting customer experiences; patrons found themselves locked out of their hotel rooms, while critical services such as slot machines, ATMs, and check-in systems were rendered inoperable. The breach was reported to have affected approximately 30 properties and potentially included sensitive information of 37 million customers, though estimates may vary.
Legal action soon followed as class action lawsuits emerged, linking the 2023 incident to a previous breach from July 2019, in which undetermined personal data was stolen and later published on the Dark Web. The settlement amount of $45 million was agreed upon in January, with a final judicial review scheduled for June 18.
Claiming Your Class Action Payout
MGM has reached out to verified victims, sending them notifications last year. Individuals who have not yet received confirmation can expect to get an email in the coming weeks containing a personalized ID and PIN to facilitate their claims. Moreover, those who stayed at an MGM property prior to the breaches and believe their data was compromised may still qualify to submit a claim.
Individuals demonstrating that the breach resulted in significant financial damages have the opportunity to file for claims up to $15,000. However, most claimants are expected to receive between $20 and $75, depending on the type of personal information exposed. For instance, individuals whose Social Security numbers or military identification numbers were compromised can claim $75, while those whose passports or driver’s licenses were breached can claim $50. If only names, addresses, or birthdates were involved, claimants will only be eligible for $20.
All claims must be submitted by June 3. In addition, those included in the settlement class are entitled to a year of complimentary identity theft protection and credit monitoring services. This incident serves as a reminder of the persistent cybersecurity risks businesses face today and underscores the importance of robust security measures.
The tactics employed in the MGM breach align with several categories within the MITRE ATT&CK framework, particularly relating to initial access through social engineering, as well as lateral movement within the network, underscoring the critical need for businesses to bolster employee training and incident response protocols.
