MGM agrees to pay $45 million to victims of 2019 data breach and 2023 ransomware attack

MGM Resorts International agreed to pay $45 million to settle multiple class action lawsuits related to a data breach in 2019 and a ransomware attack the company experienced in 2023. 

The two sides confirmed the agreement in a Las Vegas federal court on January 21 and the final approval hearing will take place on June 18. 

In court filings with the U.S. District Court of Nevada, lawyers for the victims said more than 37 million customers of MGM Resorts International had information stolen during the cyberattack in July 2019 and the September 2023 ransomware attack. 

The July 2019 incident saw hackers steal names, addresses, passport numbers and more from MGM Casino guests while the ransomware attack gave cybercriminals access to the same type of information as well as driver’s license numbers, military ID numbers and Social Security numbers. 

The agreement culminates 14 class action lawsuits that were consolidated last year. Multiple mediations took place before an agreement was hammered out on October 31. 

The $45 million will be dispersed to victims through a tiered system based on what information a person had stolen. Those in the first tier will receive $75 while those in tier two will get $50 and tier three will see $20 payments. 

Victims can also receive more funds if they can provide documentation of further losses resulting from identity theft related to the breaches. Those who file a documented loss cash payment claim form can receive up to $15,000. 

The $45 million will also cover lawyers fees, payout administration and identity theft protection services that can be applied for. 

Following the 2019 breach, the personal information of 10.6 million users who stayed at MGM Resorts was leaked to a hacking forum.

The ransomware attack caused chaotic scenes across Las Vegas, with everything from slot machines to hotel room keys and ATMs knocked out of service for days. 

MGM Resorts International owns multiple high-profile hotels in Las Vegas, including Mandalay Bay, the Bellagio, the Cosmopolitan and the Aria. Hotels were unable to accept credit cards and guests were left scrambling to find alternative housing while staff at multiple casinos had to calculate slot machine losses and wins by hand. 

Ransomware hackers connected to the now-defunct BlackCat/Alphv gang eventually took credit for the attack. The company said in regulatory filings that it lost about $100 million throughout the incident.

The company is still facing investigations by the Federal Trade Commission over the ransomware attack.