in Newswire Published on September 27, 2023

MGM Facing Class Action Over 10-Day Cyberattack in September 2023

by Kelsey McCroskey

View Comments

Kirwan v. MGM Resorts International

Filed: September 21, 2023 § 2:23-cv-01481

Read Complaint

A class action claims negligence on the part of MGM Resorts International is to blame for a September 2023 cyberattack that resulted in a 10-day shutdown of the company’s computer systems.

Defendant(s)

MGM Resorts International

Law(s)

State(s)

Nevada

Categories

Entertainment Privacy Data Breach

A proposed class action claims negligence on the part of MGM Resorts International is to blame for a September 2023 cyberattack that reportedly resulted in a 10-day shutdown of the company’s computer systems.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

According to the 46-page lawsuit, unauthorized actors infiltrated MGM’s network on September 7 of this year by “impersonating an IT [administrator] and gaining access credentials.” Once inside the defendant’s system, the cybercriminals “locked down” the network and demanded MGM pay ransom, the suit relays.

Per the case, the ransomware attack lasted at least 10 days, during which MGM was forced to shut down computer systems across its properties, preventing consumers and resort guests from using electronic room keycards, Wi-Fi, ATMs, electronic gaming devices and other services.

Two notorious cybercriminal groups—Scattered Spider and ALPHV—have purportedly taken credit for the attack on MGM’s network and the theft of at least six terabytes of data from its stored files, the complaint explains. The filing shares that the ransomware attack compromised the information of MGM customers and MGM Rewards loyalty program members and included data such as full names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers and/or driver’s license numbers.

The lawsuit argues that MGM, one of the top casino and hotel operators worldwide, “negligently” failed to implement adequate cybersecurity protocols to safeguard consumers’ data, which it allegedly stored unencrypted and unredacted in its network.

What’s more, the suit contends that MGM should have been well aware of the “foreseeable” threat, given that its IT vendor, Okta, had previously warned of this kind of ransomware attack and a high-profile subsidiary, BetMGM, had experienced a data breach in 2022.

However, despite the warnings, the defendant failed to take reasonable data security measures to protect customers’ private information from unauthorized disclosure, the case alleges.

The lawsuit looks to represent anyone in the United States whose personal information was disclosed in the MGM data breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.

Case Spotlight

Hair Relaxer Lawsuits

Women who developed ovarian or uterine cancer after using hair relaxers such as Dark & Lovely and Motions may now have an opportunity to take legal action.

Read more here: Hair Relaxer Cancer Lawsuits

How Do I Join a Class Action Lawsuit?

Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?

Read more here: How Do I Join a Class Action Lawsuit?

ClassAction.org Newsletter

Stay Current

Sign Up For
Our Newsletter

New cases and investigations, settlement deadlines, and news straight to your inbox.

This browser does not support PDFs. Please download the PDF to view it: Download PDF.
Open Document
Last Updated on September 27, 2023 — 9:28 AM

Kelsey McCroskey

kelsey@classaction.org

Kelsey works primarily on ClassAction.org’s newswire, reporting on cases as they happen.

About ClassAction.org

ClassAction.org is a group of online professionals (designers, developers and writers) with years of experience in the legal industry.

Learn More

Before commenting, please review our comment policy.