MGM Resorts Slapped with Class Action Suit After Hackers Swipe 10.6 Million Guest Records

Posted on: February 22, 2020, 04:39h. 

Last updated on: February 23, 2020, 12:00h.

Todd Shriber @etfgodfather Read More

Expertise: Financial, Gaming Business, Mergers and Acquisitions.

John Smallman, formerly a patron of MGM Resorts International (MGM), is suing the gaming company after it was revealed that cyber thieves stole the data of 10.6 million guests last year.

Earlier this week, MGM verified the data breach involving 10,683,188 records of prior guests, including celebrities, convention goers and government officials. The operator of the Bellagio and Mirage, among other Las Vegas Strip properties, made affected guests aware of the incident last year. But it came to light publicly this week after the information was released on an online hacking forum.

In a complaint filed Friday in US District Court in Nevada, attorneys for Smallman claim that MGM notified impacted guests on or about Sept. 5 2019 following a breach on or around July 7, 2019, and that the company kept it quiet to avoid negative publicity in the wake of the October 1, 2017, mass shooting at Mandalay Bay that resulted in 58 deaths and more than 800 injuries.

ZDNet initially reported news of the data theft on Feb. 19. PII references “personally identifiable information.”

Unfortunately, the miscreants that took and/or acquired the sensitive PII had other plans, and on February19, 2020, internet technology publication ZDNet revealed that the personally identifiable information of more than 10.6 million MGM hotel guests had been posted on a hacking forum, available for misuse by a host of bad actors,” according to the suit.

Suit Details

Smallman’s counsel notes the Californian stayed at the Luxor multiple times over the past 10 years using his drivers license, a credit or debit card, and other PII while there. He also used payment cards at the Bellagio. Earlier in the week, Casino.org reached to MGM to verify what properties were affected by the hack, but did not hear back from the company.

The hackers stole full names, home addresses, phone numbers, emails, and dates of birth. But MGM said to ZDnet it believes payment information and passwords weren’t compromised in the cyber attack.

Smallman’s attorneys also argue that due to the MGM data infiltration, their client will be increasingly vulnerable to financial fraud and identity theft in the coming years.

Hospitality Targets

Due to the nature of the personal information acquired by gaming companies and hotel chains, the travel and leisure industry is among the most vulnerable to cyber thievery. In the last decade, one of the largest data breaches involved 383 million records stolen from Marriott’s Starwood brand.

Hilton, Hyatt and Trump are among the other big-name hoteliers that have had run-ins with cyber criminals.

Smallman’s attorneys note the MGM data breach may run afoul of Federal Trade Commission (FTC) guidelines. The FTC has previously brought action against companies for not sufficiently safeguarding customer data.

“At all relevant times, MGM knew, or reasonably should have known, of the importance of safeguarding PII and of the foreseeable consequences if its data security systems were breached, including, the significant costs that would be imposed on customers as a result of a breach,” according to the suit.