Trump administration ends FTC’s ransomware data breach case against MGM Resorts

The Federal Trade Commission (FTC) shuttered its case against MGM Resorts International centered on the company’s handling of personal data stolen during a 2023 ransomware attack.

The FTC filed a Civil Investigative Demand (CID) in January 2024 seeking answers to dozens of questions about the ransomware attack that involved customer and employee data as well as troves of business information.

The FTC specifically wanted information on the company’s compliance with Section 5 of the FTC Act, the Safeguards Rule under the Gramm-Leach-Bliley Act and the Red Flags Rule under the Fair Credit Reporting Act.

MGM Resorts International repeatedly refused to provide the information and the FTC in June 2024 filed a lawsuit in Nevada to enforce the CID. The two sides went back and forth in court for months, with the casino giant demanding FTC chair Lina Khan recuse herself because she happened to be staying at a Las Vegas hotel owned by the company at the time of the cyberattack. 

The company also petitioned to have the case moved to Washington, D.C. and questioned whether the FTC had jurisdiction in the case at all. 

But on February 28, court filings confirmed that with the Trump administration taking office, the FTC’s CID had been withdrawn, making the court cases “moot” according to lawyers for both sides.

Documents filed in federal courts in Nevada and Washington, D.C. say MGM was contacted by the FTC on February 26 to say it intended to terminate the litigation around the CID. 

Over the last week, the two sides filed motions to dismiss many of the cases.

“The Petitioner, the Federal Trade Commission, and the Respondent, MGM Resorts International, hereby stipulate and agree that the above-captioned action be dismissed without prejudice, with each party to bear its own costs and attorneys’ fees,” the two sides said.

The two sides plan to submit a joint status report “on or before March 21” to provide further updates on the efforts to dismiss or withdraw the remaining legal filings. 

The filings bring an end to much of the legal controversy that surrounded the ransomware attack on MGM Resorts International, which owns multiple high-profile hotels across Las Vegas, including Mandalay Bay, the Bellagio, the Cosmopolitan and the Aria. Hotels were unable to accept credit cards and guests were left scrambling to find alternative housing while staff at multiple casinos had to calculate slot machine losses and wins by hand. All of the digital systems used to manage the casinos and hotels were brought down by the ransomware attack.

In January, the casino giant agreed to pay $45 million to settle multiple class action lawsuits related to a data breach in 2019 and the 2023 ransomware attack. Lawyers for the victims said more than 37 million customers of MGM Resorts International had information stolen during the cyberattack in July 2019 and the September 2023 ransomware attack.

Ransomware hackers connected to the now-defunct BlackCat/Alphv gang eventually took credit for the attack. The company said in regulatory filings that it lost about $100 million due to the incident.