Federal Court Backs MGM's $45 Million Settlement Deal

Nevada.

The case merges two class-action lawsuits addressing separate data breaches at the resort operator. The first breach occurred in July 2019, when hackers obtained driver’s license numbers, port information, and customer addresses. Later, in September 2023, MGM’s systems were again breached—this time through a ransomware attack. The ransomware disabled vital operational systems, affecting hotel room controls and slot machines.

Millions of Customers Impacted

According to the lawsuit, approximately 37 million individuals were affected by the two incidents. The suit argues that MGM failed to establish robust data-security measures to prevent the breaches. In response to questions, the company opted not to comment on the ongoing matter.

The consequences of the 2023 breach were particularly severe, hitting MGM’s Las Vegas Strip casinos at the height of summer operations. Disruptions from the cyberattack reportedly cost the company $100 million, although MGM indicated in an October 2023 U.S. Securities and Exchange Commission filing that insurance would likely mitigate the financial loss.

The proposed settlement outlines a tiered compensation system for those affected. Customers whose Social Security numbers or military ID numbers were compromised would receive $75. Victims of stolen port or driver’s license details are eligible for $50. Additionally, customers who can demonstrate tangible harm caused by the breaches may claim up to $15,000.

As part of the settlement, attorneys representing the plaintiffs are eligible to request up to 30% of the $45 million fund. If given final court approval in June, the settlement could resolve a key legal challenge for MGM stemming from the 2023 breach.

MGM’s Ongoing Legal Battles with the FTC

The data breaches continue to raise regulatory concerns. The Federal Trade Commission (FTC) is scrutinizing MGM’s handling of the 2023 attack. In late 2023, the FTC initiated a civil investigative process to obtain company records, circumventing a formal subpoena.

MGM responded by filing a lawsuit in April, challenging the FTC’s demand and seeking the recusal of then-FTC Chair Lina Khan, citing her prior stay at an MGM property during the cyberattack. MGM also accused the agency of misapplying rules intended for financial institutions and violating the company’s constitutional rights.

Although the FTC filed to dismiss MGM’s lawsuit in June 2023, the legal back-and-forth persists, with both sides filing procedural motions as recently as August. Leadership changes in the FTC could shape the ongoing case, with Andrew Ferguson now heading the agency after Lina Khan’s resignation earlier this month.

Source:

”MGM agrees to pay $45 million to settle data-breach lawsuit”, cdcgaming.com, January 27, 2025.