Hotel and casino giant MGM Resorts has agreed to pay $45 million to settle more than a dozen class action lawsuits after hackers stole personal data on millions of customers in two separate cyberattacks.
MGM agreed to the settlement on January 21, according to a recent court filing, as first reported by The Record. A Las Vegas federal court is scheduled to rule on the settlement on June 18.
The settlement proposal was reached following two previously reported data breaches at MGM Resorts in 2019 and 2023.
The breach in 2019 saw hackers steal millions of customer names, home addresses, phone numbers and other personal information from MGM’s systems. MGM confirmed the breach in 2020 after large portions of the stolen data were published on a known cybercrime forum.
The 2023 ransomware attack on MGM’s systems resulted in weeks-long outages and disruption across the company’s properties across the Las Vegas Strip, including the Bellagio, Aria and Cosmopolitan. The hackers also stole customers’ personal information, including some Social Security numbers and passport numbers. MGM said the ransomware attack cost the company more than $100 million in damages.
Lawyers for the class action members said in the filing that the two separate data breaches both affected more than 37 million MGM Resorts customers. MGM has repeatedly declined to share the number of affected individuals, and MGM spokesperson Brian Ahern did not respond to TechCrunch’s request for comment.
About 30% of the $45 million settlement fund will go to attorney fees, with class action victims receiving up to $75 each depending on the types of information stolen in the attacks.