Class Action Claims BetMGM Failed to Prevent Data Breach Affecting Over 1.5M Consumers [DISMISSED]

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit accuses BetMGM of failing to adequately protect consumers’ personal data from a cyberattack in May 2022.

According to the 57-page lawsuit, the breach of the high-profile sports betting company’s network compromised the sensitive data of up to 1.5 million current and former users. The complaint relays that the personally identifiable information (PII) accessed in the data breach, which the company purportedly discovered in late November last year, was not encrypted and included full names, contact information, dates of birth, Social Security numbers and other confidential details.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The suit alleges that BetMGM “negligently” and “recklessly” failed to take reasonable steps to secure current and former customers’ private information against cyberattacks. The online gambling company “failed to even encrypt or redact this highly sensitive information,” the case claims, stressing that had the data been properly encrypted, the hackers “would have made off with only unintelligible data.”

In addition, the filing takes issue with the defendant’s alleged failure to notify victims in a timely manner that their personal data had been compromised. Though the unauthorized access was supposedly discovered in late November, BetMGM only began notifying victims in late December, the complaint shares.

The notice letter sent to victims, however, “amounts to no real disclosure at all, as it fails to inform, with any degree of specificity, Plaintiff and Class Members of the Data Breach’s critical facts,” the lawsuit charges. Absent from the notice is the exact date of the cyberattack, why it took the company months to discover it, how the hackers gained access, the precise data that was disclosed and what steps the company is taking to safeguard consumers’ information in the future, the suit says.

By collecting and benefitting from customers’ data, BetMGM is legally obligated to safeguard that information, the case claims.

The privacy policy listed on BetMGM’s website, which has sections called “How we protect your data” and “What data breach procedures we have in place,” shows that the company understood that the massive quantity of valuable personal data stored in its network would attract cybercriminals, the complaint argues.

The plaintiff, a New Jersey resident and accountholder with BetMGM since February 2022, learned that his private data had been compromised when he received the company’s notice in December, the lawsuit explains.

Indeed, cybersecurity journal Security Week published that in December 2022 “a cybercriminal posted an offer to a database containing all 1.57 million customer records that were stolen from MGM,” the suit reads.

BetMGM has purportedly offered victims two years of identity and credit monitoring, but the filing deems this “wholly inadequate” as the consequences of the data breach may take years to manifest.

The lawsuit looks to represent anyone in the United States identified by BetMGM as among those who were impacted by the data breach announced in December 2022, including those who were sent notice of the breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.