In 2023 and 2019, MGM Resorts International faced two massive data breaches, forcing the resort company to shut down many of its systems.
BlackCat, also known as ALPHV, claimed responsibility for the 2023 ransomware attack. The threat group allegedly used a social engineering attack by calling the company’s help desk with an MGM Resorts employee’s information they had found on LinkedIn.
Collectively, the breaches impacted 37 million of the hotel and casino company’s customers. Accessed data from the 2019 breach included names, addresses, phone numbers, email addresses, dates of birth, and passport numbers. The 2023 attack impacted even more information, including driver’s license numbers and Social Security numbers. It also required MGM to briefly shut down slot machines and ATMs.
Since then, MGM has been embroiled in legal turmoil. Multiple cases from both data breaches resulted in 22 unique class-action lawsuits. Ultimately, these were all consolidated into one singular case.
MGM will be paying out a large sum of $45 million dollars, which will cover legal fees and be distributed amongst class action members. Settlement class members can submit a claim of up to $15,000 for losses traceable to one of the two incidents. Individuals who did not face significant financial losses may be entitled to a cash payment of up to $75.
While a federal court has granted preliminary approval of the settlement, a final hearing is set to take place on June 18th.
While this is likely the end of class action suits against MGM Resorts, the company is still under investigation by the Federal Trade Commission (FTC). The investigation revolves around how the company handled the 2023 incident. MGM has filed a petition to quash the investigation, stating that the FTC is demanding significant and irrelevant data regarding the breach. The petition was filed on February 20th, 2024.
The data breaches, subsequent lawsuits, and investigations showcase how a breach can continue to significantly impact an organization years after it took place. While any company, no matter its size, can become the victim of an attack, the size of MGM and the large number of victims likely made the company prone to additional scrutiny.
Organizations should always carefully document their response to data breaches and be prepared to defend their actions to victims and the government alike. While data breaches can happen for a variety of reasons, organizations must do everything possible to prevent breaches and mitigate the impact.