MGM to pay $45mn to settle data breach lawsuit

By Mia MacGregor

Jan 28 - (The Insurer) - A federal court has granted preliminary approval for a $45mn settlement in a class-action lawsuit against Las Vegas-based MGM Resorts International over two major data breaches in 2019 and 2023 that exposed the personal information of millions of customers.

Filed in the US District Court of Nevada, the lawsuit combined claims from both incidents and accused the global hospitality, entertainment, and resort company of failing to implement adequate data security measures, leaving its systems vulnerable to attacks.

The first breach in July 2019 allowed hackers to access sensitive data belonging to around 37 million customers, including driver’s license numbers, passport information, and home addresses.

In September 2023, a second breach occurred when attackers impersonated IT administrators to gain employee network credentials.

They locked down MGM’s systems and accessed data for approximately 37 million customers, including names, contact information, dates of birth, driver’s license and passport numbers, military IDs, and in some cases, Social Security numbers.

Customers were notified of the breaches, prompting lawsuits against MGM.

To avoid the cost and uncertainty of litigation, the parties reached a global settlement to resolve the claims on a class-wide basis. The settlement includes a $45mn non-reversionary cash fund and additional non-monetary remedies.