
The Nevada District has approved MGM’s $45 million settlement to resolve a class action lawsuit over data breaches in 2019 and 2023.
MGM will provide tiered financial compensation to affected customers based on the severity of the leaked information. This agreement concludes a multi-year litigation following the cybersecurity breaches, which caused a $100 million EBITDA loss and significant disruptions across the company’s properties.
The court’s order mentioned:
To avoid the risk and expense of litigation, the parties agreed to a global settlement to resolve plaintiffs’ claims for both data incidents on a class wide basis.
As demonstrated below, the settlement provides significant relief for the settlement class, including a non-reversionary all cash $45m settlement fund and valuable non-monetary relief.
The data breaches exposed tens of millions of customers’ private information, including social security numbers, military IDs, phone numbers, and passport details. Plaintiffs alleged that MGM failed to implement proper data security measures, monitor cloud-based servers, and delete outdated data, leading to the breaches. In July 2024, both parties agreed to mediation with an experienced data breach mediator, ultimately leading to the $45 million settlement.
After weeks of negotiations, MGM and the plaintiffs reached a settlement, filing a notice of agreement with the court in October 2024. Under the deal, individuals who can prove direct harm from the breaches may claim up to $15,000, while those affected by social security or military ID leaks will receive $75, and those with compromised driver’s license numbers will be eligible for $50.
Despite settling the class action, MGM faces a separate FTC investigation into its compliance with data security regulations. In response, the company has countersued, alleging the probe is personally motivated by the FTC chair’s stay at an MGM property during the incident.