MGM Resorts International has agreed to pay $45 million to settle multiple class action lawsuits stemming from two significant cyberattacks. These lawsuits relate to a 2019 data breach and a 2023 ransomware attack that impacted over 37 million MGM customers. The company confirmed the settlement agreement on January 21, 2025, during a federal court session in Las Vegas. A final approval hearing is scheduled for June 18, 2025, to finalize the agreement.
The two cyberattacks resulted in the theft of sensitive customer information.
The 2019 data breach exposed names, addresses, passport numbers, and other personal details of MGM guests. In 2023, the ransomware attack gave hackers access to the same type of data along with more sensitive information such as driver’s license numbers, military ID numbers, and Social Security numbers. Both incidents were linked to significant disruptions, especially the ransomware attack, which crippled hotel systems across Las Vegas, impacting slot machines, hotel room keys, and ATM services.
Under the terms of the settlement, victims will be compensated through a tiered system based on the type of information that was stolen. Individuals in the first tier will receive $75, while those in the second and third tiers will receive $50 and $20, respectively. Victims who can prove further losses due to identity theft linked to the breaches can submit claims for additional compensation, potentially up to $15,000. The total $45 million will also cover administrative costs, lawyer fees, and provide identity theft protection services for affected individuals.
The two cyberattacks caused extensive damage to MGM Resorts, with the 2019 breach resulting in the leaking of personal information of 10.6 million customers on a hacking forum. The 2023 ransomware attack, attributed to the now-defunct BlackCat/Alphv gang, led to chaos in Las Vegas, disrupting services and costing the company an estimated $100 million in losses. Additionally, MGM Resorts is facing an ongoing investigation by the Federal Trade Commission concerning the ransomware attack.