Hotel Giant Agrees to $45 Million Payout After Data Breaches Impact Millions

MGM Resorts International has agreed to a $45 million settlement to compensate millions of customers affected by two major data breaches in 2019 and 2023. These breaches not only compromised the personal information of approximately 37 million individuals but also caused operational chaos at MGM’s hotels, leading to a class-action lawsuit led by Tonya Owens in the US District Court of Nevada.

• Settlement Amount: $45 million
• Affected Individuals: 37 million
• Breach Dates: July 2019 and September 2023
• Compensation: Up to $15,000 for losses; tiered cash payments; one year of financial monitoring

The breaches occurred in July 2019 and September 2023, with the latter executed by the notorious hacking group Scattered Spider, a subgroup of the ALPHV (BlackCat) ransomware gang. They employed tactics like vishing (a phone scam where attackers impersonate someone else to trick you into providing sensitive information) and multi-factor authentication (MFA) fatigue (repeatedly sending authentication requests until the user approves one out of frustration). These sophisticated methods led to significant disruptions, including a reported $100 million loss in MGM’s third-quarter results, affecting everything from slot machines to digital key cards.

The personal data compromised included names, addresses, phone numbers, dates of birth, and for a subset of individuals, even more sensitive information like driver’s license numbers, passport numbers, Social Security numbers, and military identification numbers. This exposure has put millions at risk of identity theft, emphasizing the urgency of the settlement.

Under the settlement, affected individuals can claim up to $15,000 for documented losses. Additionally, there are cash payments of $20, $50, or $75, depending on the type of data compromised. One year of financial monitoring is also offered to help mitigate the risks of identity theft. However, experts like Eva Velasquez from the Identity Theft Resource Center and Josephine Wolff from Tufts University have questioned the effectiveness of these monitoring services, suggesting that freezing one’s credit might be a more robust defense.

The aftermath of the breaches saw not only financial losses but also operational headaches for MGM’s customers. Guests encountered malfunctioning slot machines, issues with digital key cards, and disruptions in payment systems. The 2023 breach even led to a temporary 4.1% drop in MGM’s stock price, although it rebounded to the mid-$50 range by January 2025, reflecting resilience in the hospitality sector.

These incidents have sparked regulatory scrutiny, with investigations launched by the FBI and the Nevada Gaming Control Board. The breaches have also fueled discussions about the need for stricter cybersecurity regulations in Nevada, highlighting the growing recognition of robust security measures in the gaming industry.

The settlement, while a step towards compensation, does not erase the broader implications for cybersecurity in the hospitality sector. It underscores the increasing threat of sophisticated cyberattacks and the importance of employee training and awareness to combat tactics like vishing and MFA fatigue. For MGM and other large corporations, the message is clear: protecting customer data is not just a legal obligation but a critical aspect of maintaining trust and operational integrity.

Key Takeaways and Questions

• What was the total settlement amount MGM Resorts International agreed to pay?

  MGM Resorts International agreed to pay a total of $45 million.

• How many people were affected by the MGM data breaches?

  Approximately 37 million people were affected by the data breaches.

• What were the dates of the MGM data breaches?

  The data breaches occurred in July 2019 and September 2023.

• What types of personal data were exposed in the breaches?

  The breaches exposed names, addresses, phone numbers, dates of birth, and in some cases, driver’s license numbers, passport numbers, Social Security numbers, and military identification numbers.

• What compensation options are available to affected individuals?

  Affected individuals can claim up to $15,000 for documented losses, receive cash payments of $20, $50, or $75 based on the type of data compromised, and get one year of financial monitoring.

• Who led the class-action lawsuit against MGM Resorts International?

  The class-action lawsuit was led by Tonya Owens.

• In which court was the lawsuit filed?

  The lawsuit was filed in the US District Court of Nevada.

• Did MGM Resorts International admit fault in the settlement?

  No, MGM settled without admitting any fault.

• What are the deadlines for filing claims and opting out of the settlement?

  Claims must be filed by June 3, 2025, and the deadlines for opting out or objecting are May 19, 2025.