MGM Resorts has agreed to pay $45 million to settle a class-action lawsuit related to two data breaches.
An order granting preliminary approval for the settlement was filed in the U.S. District Court for Nevada on Jan. 21.
A lawsuit from Tanya Owens and other plaintiffs had alleged that two separate cyberattacks on MGM Resorts’ operating systems in July 2019 and September 2023 affected around 37 million people by exposing sensitive customer information.
The lawsuit combined a class-action lawsuit for each incident into one complaint and alleged that MGM failed to implement sufficient security practices to prevent the incident.
The final approval hearing in the case is slated for June 18. If confirmed, it would end the long-running litigation regarding the two incidents.
SBC Americas reached out to MGM Resorts for comment but had not heard back at the time of writing.
Class-action members could be entitled to $15,000 compensation
The 2019 incident involved a hacker infiltrating MGM’s network, while the 2023 attack incapacitated key MGM Resorts systems such as key-card access, reservation systems and some gaming machines for several days.
The combined lawsuit alleges that customer information stolen included names, addresses, email addresses, phone numbers, driver’s license numbers, passport numbers and, in some cases, Social Security numbers.
Class-action members who can document losses from the incidents, such as unreimbursed losses relating to fraud or identity theft, attorney and/or accountant fees and credit monitoring costs, could be eligible for payments up to $15,000 per person. The settlement would also provide tiered compensation for affected customers, based on what information was stolen. Those payments would range from $20 to $75 per person.
The plaintiffs’ attorneys are permitted to request up to 30% of the $45 million total.
MGM and FTC still at loggerheads
While this development settles the class-action lawsuit, a legal battle concerning the 2023 incident continues between MGM Resorts and the Federal Trade Commission (FTC).
Last year, the FTC filed a civil investigative demand against MGM which would grant it the right to request information from companies without a court-issued subpoena. Several elements of the case have been denied and the court ordered a stay on the case until a similar case in D.C. is resolved.
MGM sued the agency in D.C. District Court in April, alleging a potential conflict of interest involving then-FTC Chair Lina Khan, noting that she was a guest at an MGM property when the cyberattack took place. The MGM suit also alleged that the FTC violated MGM’s Fifth Amendment rights and wrongfully applied rules meant for financial institutions. The judge has asked the parties for an update by Feb. 7 indicating if the change in administration and Khan’s resignation will impact the case.
The FTC filed a petition in Nevada requesting the court to compel MGM Resorts to comply with the FTC’s investigation.
