MGM Resorts International Data Breach Class Action

In February 2020, MGM Resorts International announced that cybercriminals had gained access to its systems in mid-2019 and had stolen personally identifiable information (PII) for more than 10.6 million of its hotel guests. This data breach, the complaint for this class action alleges, “was a direct result of MGM’s failure to implement adequate and reasonable cyber-security procedures necessary to protect its customers’ PII.”

The Nationwide Class for this action is all persons living in the US whose PII was stolen in the July 7, 2019 data breach at MGM. The complaint also proposes Nevada, Louisiana, New York, Ohio, and South Carolina Subclasses for residents of those states.

MGM is a hospitality and entertainment company. Its hotels include Aria, Bellagio, MGM Grand, Mandalay Bay, The Mirage, Luxor, New York-New York, Excalibur, Park MGM, and Circus Circus.

The data breach had happened on July 7, 2019. The PII accessed included names, phone numbers, e-mail addresses, and dates of birth; for some customers, it also included driver’s license numbers, passport numbers, or military identification numbers.

The stolen data was made available to criminals on the dark web, in a popular hacking forum. According to the complaint, “Technology journalists at ZDNet and security researchers from Under the Breach were able to validate the origin of the posted data by using the PII to contact users and confirm that they stayed at an MGM property prior to the breach.” MGM later confirmed this.

The complaint claims, “The Data Breach was reportedly the result of a faulty cloud-based server. A data security professional noted that the breach ‘could have easily been caused from poor cloud configuration and security hygiene.’”

Because MGM requires that customers provide it with their personal information, the complaint says, it has a responsibility to ensure that it protects that information. “MGM is a multi-billion-dollar company and had the financial and personnel resources necessary to prevent the breach. MGM nevertheless neglected to adequately invest in reasonable data security measures.”

MGM’s Privacy Policy claims that the company “respects your privacy.” It claims that the information is “stored on systems protected by industry standard security measures…. We have controls in place that are designed to detect potential data breaches, contain and minimize the loss of data, and conduct forensic investigations of a breach.” It also says, “Our staff is required to take reasonable measures to ensure that unauthorized persons cannot view or access your Personal Information.”

However, the complaint claims that these statements are false and misleading, because the company did not have such measures in place and did not prevent the data breach. Hotels are a frequent target of cybercriminals, the complaint says, and MGM should have been on notice that it could become a target.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

MGM Resorts International Data Breach Complaint

March 13, 2020

In February 2020, MGM Resorts International announced that cybercriminals had gained access to its systems in mid-2019 and had stolen personally identifiable information (PII) for more than 10.6 million of its hotel guests. This data breach, the complaint for this class action alleges, “was a direct result of MGM’s failure to implement adequate and reasonable cyber-security procedures necessary to protect its customers’ PII.”

MGM Resorts International Data Breach Complaint

Case Event History

MGM Resorts International Data Breach Complaint

March 13, 2020

In February 2020, MGM Resorts International announced that cybercriminals had gained access to its systems in mid-2019 and had stolen personally identifiable information (PII) for more than 10.6 million of its hotel guests. This data breach, the complaint for this class action alleges, “was a direct result of MGM’s failure to implement adequate and reasonable cyber-security procedures necessary to protect its customers’ PII.”

MGM Resorts International Data Breach Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Your Privacy