MGM Resorts Settles for Data Breach Victims Following Cyberattacks
MGM Resorts has agreed to a significant settlement, committing multimillion-dollar compensation for individuals impacted by data breaches that occurred in 2019 and 2023. Victims could be eligible to receive payments of up to $75, drawing attention to the vulnerabilities within the hospitality sector’s cybersecurity defenses. This announcement is particularly relevant for anyone who stayed at MGM properties and has received a notification regarding the breach.
The cyberattacks targeting MGM Resorts were sophisticated, occurring in July 2019 and again in September 2023. In both incidents, attackers successfully gained access to sensitive personal information of guests, including full names, email addresses, phone numbers, physical addresses, and birthdates. More concerning was the exposure of critical identity credentials, such as passport numbers, driver’s licenses, military identification, and Social Security numbers. The breadth of this unauthorized access raises significant questions about the integrity of data protection practices within the organization.
As a result of these breaches, a class-action lawsuit was initiated, led by affected customers like Tonya Owens, who alleged that MGM failed to safeguard the confidential information of its patrons. While MGM Resorts has settled the lawsuit for $45 million, the company did not admit any wrongdoing. This pattern of settling without admission of liability is common in corporate responses to data breaches.
Individuals who received notification from MGM Resorts regarding their personal information being compromised are eligible to file claims. Compensation varies based on the type of exposed information. Those whose sensitive data was breached could receive $75, while lesser amounts apply for other levels of exposed information. Importantly, the claim process requires no documentation, simplifying the submission for affected individuals.
For victims who have suffered actual financial losses due to the breaches, such as unauthorized transactions or fraudulent accounts opened in their names, claims can exceed $15,000, although these require proof like bank statements or police reports to demonstrate the impacts of the breach comprehensively.
Claims can be initiated through the official settlement portal, where individuals can verify their eligibility and submit necessary forms. This process is entirely online, contributing to a streamlined approach in addressing the repercussions of the breaches. Those opting not to participate in the settlement have until May 19, 2025, to formally decline.
Cybersecurity incidents of this nature are increasingly prevalent, with MGM Resorts being one of many corporations facing scrutiny for inadequate data protection measures. Similar breaches have prompted class-action lawsuits against other organizations, emphasizing the need for robust cybersecurity protocols. The frequency of such events compels a deeper examination of personal data handling practices and the rights of individuals to safeguard their information.
The sophistication of these attacks aligns with several tactics in the MITRE ATT&CK framework, particularly those involving initial access and data exfiltration. Adversaries likely exploited weaknesses in the organization’s security posture, utilizing techniques to gain unauthorized access to sensitive information. The growing trend of cyberattacks in the hospitality industry highlights urgent vulnerabilities, prompting a necessary conversation about the responsibilities of businesses to protect their customers’ data.
As the reporting period for claims progresses, both business owners and consumers must remain vigilant regarding cybersecurity practices. The fallout from these breaches serves as a reminder of the ever-evolving landscape of digital security risks and the imperative for organizations to enhance their defenses continually. The investigation continues, but for those impacted, this settlement may provide some form of relief amidst ongoing concerns about personal data security.
