Court Approves $45M Settlement in MGM Resorts Hack Class Action

Posted on: January 24, 2025, 07:13h. 

Last updated on: January 24, 2025, 07:13h.

The United State District Court for the District of Nevada granted preliminary approval of a $45 million settlement in a class action suit brought against MGM Resorts International (NYSE: MGM) stemming from the September 2023 cyber intrusion that temporarily crippled the casino operator.

MGM Sands
MGM’s Bellagio on the Las Vegas Strip. A court granted preliminary approval of a $45 million settlement for victims of two cyberattacks against MGM. (Image: CNN)

The case also include claims from plaintiffs whose personal data was compromised in a July 2019 cyber event that target the gaming company. Counsel for the plaintiffs asserted that MGM was lax in cybersecurity protocols, making customers’ personally identifiable information vulnerable in the two cyber crimes.

The settlement includes significant financial relief for impacted plaintiffs. Class members whose social security number or military identification number were exposed are eligible for a $75 cash payment and those whose passport number or driver’s license were exposed are eligible for a $50 payment,” according to Cohen Milstein Sellers & Toll PLLC, the firm that handled the case. “In addition, all settlement class members may elect identity theft protection and credit monitoring.”

There may have been merit to the claim that MGM’s cyber defenses were not sturdy enough. BitSight, a cybersecurity ratings and analytics company, gave the gaming company a cybersecurity grade of “F” and that was prior to the September 2023 hack.

MGM Cyber Woes

The September 2023 attack, perpetrated by a group of hackers known as “Scattered Spider,” wasn’t the first time MGM was the target of a digital intrusion.

In February 2020, it was revealed that in 2019, hackers stole sensitive data of 10.6 million MGM customers, including some celebrities, from the company’s database and later marketed that data for profit on the dark web. In December 2022, BetMGM, which is 50% controlled by MGM, confirmed a data breach that was believed to have occurred in May 2022.

“The hotel and entertainment industries are particularly desirable targets for hackers,” said Douglas McNamara, co-lead interim class counsel and partner at Cohen Milstein.

He’s also co-lead class counsel on a similar class action against Caesars Entertainment (NASDAQ: CZR), which was also hit by Scattered Spider in 2023. It was reported that Caesars paid the hacking group as much as $30 million to relent — a strategy not employed by MGM. The Bellagio operator followed FBI protocol by not paying the hackers, but it suffered $100 million in losses and $10 million in one-off costs related to the attack.

Tiered Payments for MGM Hack Victims

A document from the United State District Court for the District of Nevada indicates victims of the two ransomware attacks MGM will be segmented into three tiers with cash compensation ranging from $20 to $75.

In some extreme cases, victims could be eligible for payments of as much as $15,000 if they can document being the victims of identity theft, related legal fees, and credit repair costs, among other items.

“All Settlement Class Members may submit a Claim Form for a Documented Loss Cash Payment for up to $15,000.00 per Settlement Class Member upon presentment of documented losses fairly traceable to either Data Incident and attest under penalty of perjury to incurring documented losses, supported by reasonable documentation,” according to the court filing.