MGM, Caesars in Las Vegas Sued Over Inadequate Cyberattack Preparedness

Posted on: September 25, 2023, 06:14h. 

Last updated on: October 9, 2023, 05:50h.

Five new lawsuits are seeking retribution from MGM Resorts International and Caesars Entertainment for failing to protect sensitive customer data during this month’s unprecedented Las Vegas casino cyberattacks.

street crime
Cybercrime isn’t any less expensive or potentially life-ruining than street crime. (Image: Reuters/David Becker)

The lawsuits filed late last week in Nevada District Court allege that the two largest gaming companies on the Strip were negligent for, among other things, not providing adequate cybersecurity measures and for failing to inform customers promptly that their information was compromised.

Individual rewards club members on Thursday filed four lawsuits seeking class-action status. (They were filed on behalf of all affected rewards club members.) Tony Owens and Emily Kirwan filed separate lawsuits against MGM, and Paul Garcia and Alexis Giuffre filed against Caesars. A fifth lawsuit was filed Friday against Caesars alone by plaintiffs Thomas and Laura McNicholas.

All five lawsuits allege negligence, breach of contract, and unjust enrichment. They all seek monetary damages — actual, statutory, and punitive damages, as well as restitution — in addition to jury trials.


The suits allege that MGM and Caesars knew, or should have known, the importance of safeguarding the sensitive information they required from their rewards club customers. The suit contends that their negligence violated Federal Trade Commission guidelines and industry standards.

Kirwan’s suit specifies that MGM “was aware that it was vulnerable to this type of attack because the IT vendor that it relied upon, Okta, had warned of “a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all multi-factor authentication factors enrolled by highly privileged users.”

The suits all contend that, as a result of their data being exposed, the victims will need to be vigilant and constantly monitor their financial accounts for the rest of their lives.


Hackers claim they stole six terabytes of sensitive information from both companies, much of which their victims believe is already available on the dark web. Identity thieves can download the data and use it to obtain loans and driver’s licenses and to file fraudulent tax returns and unemployment claims.

MGM’s September 10 cyberattack kept systems offline for nine days at its 10 casino resorts on the Strip. Caesars, which operates nine casino resorts, publicly detailed a similar social engineering cyberattack sometime before September 7 in a Securities and Exchange Commission filing on September 14. The company reportedly paid a $15 million ransom to free its systems as soon as possible.

“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars said in a statement.

MGM, which is believed not to have paid a ransom, has made no statement about the exposure of its customers’ data.

Last week, asked a leading cybersecurity expert which casino giant, MGM or Caesars, appears to have better managed their cyberattack.