MGM Resorts Faces $45M Settlement Over Data Breaches Impacting Millions of Customers

• MGM Resorts agreed to pay $45 million to resolve several class action lawsuits concerning two severe data breaches.
• The security incidents allegedly affected over 37 million MGM customers whose sensitive details were leaked online.
• Affected class members will be eligible to receive up to $75 each under the proposed settlement.

MGM Resorts has agreed to a $45 million settlement to resolve more than a dozen class action lawsuits stemming from two major cyberattacks that collectively compromised the personal data of millions of customers. 

The legal battles were triggered by two data breaches impacting the prominent hotel and casino conglomerate in 2019 and 2023. A recent court filing revealed the settlement is set to be reviewed by a Las Vegas federal court on June 18. 

The first breach exposed customer names, home addresses, phone numbers, and other sensitive personal information stored in MGM’s systems. The company acknowledged the cyberattack in 2020 when vast amounts of stolen data surfaced on a notorious cybercrime forum.

The 2023 ransomware attack resulted in prolonged outages across MGM's flagship properties on the Las Vegas Strip, including the Bellagio, Aria, and Cosmopolitan, disrupting operations and leaking customer data, including Social Security Numbers and passport numbers.

The class action lawsuits arose from the impact of these breaches, both of which reportedly affected over 37 million MGM customers, according to the plaintiffs' attorneys. Notably, MGM has consistently declined to disclose the precise number of individuals affected.

Under the proposed $45 million settlement, affected class members will be eligible to receive up to $75 each, based on the specific types of personal information compromised during the attacks. 

Approximately 30% of the settlement fund—an estimated $13.5 million—will be allocated to attorney fees.

In 2020, a data dump containing the sensitive details of 10.6 million customers of MGM Resorts hotels who stayed in one of the locations until 2017 was published on a darknet forum.