LAS VEGAS (KTNV) — A class action lawsuit against MGM Resorts International over data breaches in 2019 and 2023 could soon be resolved.
Last week, a federal judge approved a preliminary settlement of $45 million.
The data breach in July 2019 exposed customer data for approximately 37 million guests, according to the lawsuit.
Following that incident, eight class action lawsuits were filed against MGM Resorts International, which were eventually consolidated into one.
In 2023, hackers were able to access MGM Resort International's network by impersonating an IT administrator. The lawsuit states hackers were able to obtain MGM customers' names, addresses, telephone numbers, email addresses, dates of birth, driver's license numbers, passport numbers, military identification numbers, and in some cases, Social Security numbers.
Following the 2023 incident, 14 class action lawsuits were filed against MGM Resorts International. All of those cases were eventually consolidated into the same 2019 class action lawsuit.
According to the preliminary settlement, all settlement class members may submit a claim form for a Documented Loss Cash Payment for up to $15,000. Those losses may include:
- Unreimbursed losses related to fraud or identity theft
- Professional fees including attorneys' fees, accountants' fees, and fees for credit repair services
- Costs associated with freezing or unfreezing credit with any credit reporting agency
- Credit monitoring costs incurred on or after the data incident data
In addition to that, all settlement class members can elect to receive a Tier Cash Payment, which is a flat cash payment based on what tier you are. Those tiers are determined by what type of data was exposed. For example, you can receive $50 if your passport number or driver's license was exposed or $75 if your social security number or military identification number was exposed.
All settlement class members can also elect to submit a claim for financial account monitoring, which includes identity theft protection and credit monitoring for one year.
WATCH: Safeguarding against cybercrime can be complicated and costly, experts say
According to the preliminary settlement, within 30 days of preliminary approval, an email will be sent to all eligible settlement class members and/or a postcard through the mail. That will include information on how to submit a claim form, the deadline to submit a claim, the final approval hearing date, and the settlement website address.
"On behalf of millions of MGM Resort customers, I'm very pleased with this settlement," said Douglas J. McNamara, an attorney representing the plaintiffs. "The hotel and entertainment industries are particularly desirable targets for hackers. The same hackers also attacked Caesars Entertainment, Inc. in 2023."
You can read the full preliminary settlement below.
Channel 13 has reached out to MGM Resorts International for a statement on the settlement but have not heard back, as of Tuesday afternoon.
WATCH: Five defendants charged in connection to 2023 MGM, Caesars cyber attacks
As for the Caesars Entertainment data breach that McNamara mentioned, court documents state a cybercriminal group called "Scattered Spider" infiltrated an IT vendor to gain access to their network.
As a result, the group was "able to download the six-terabyte Caesars' loyalty program member database, which included PII of the more than 65 million rewards program members. The group then demanded a $30 million ransom, of which Caesars reportedly paid $15 million."
Plaintiffs claim the company was negligent in managing their data security protocol and customers were not informed of the issue in a timely manner. They also claim Caesars did disclose the attack in a Sept. 14 SEC filing but didn't explain the breadth of the breach.
Attorneys for Caesars Entertainment have filed a motion for the case to be dismissed. Their attorneys claim the plaintiffs haven't proven any damage or injuries to their name that are attributed to this hack.
According to the federal court docket, no further hearings have been scheduled, as of Tuesday afternoon.
