MGM Facing Class Action Over 10-Day Cyberattack in September 2023 [UPDATE]
Last Updated on January 30, 2025
Kirwan v. MGM Resorts International
Filed: September 21, 2023 ◆§ 2:23-cv-01481
A class action claims negligence on the part of MGM Resorts International is to blame for a September 2023 cyberattack that resulted in a 10-day shutdown of the company’s computer systems.
January 30, 2025 – $45 Million MGM Settlement Resolves Data Breach Lawsuits
A $45 million settlement has been reached to resolve the proposed class action lawsuit detailed on this page.
Get more details about the MGM data breach settlement.
Are you owed unclaimed settlement money? Check out our class action rebates page full of open class action settlements.
A proposed class action claims negligence on the part of MGM Resorts International is to blame for a September 2023 cyberattack that reportedly resulted in a 10-day shutdown of the company’s computer systems.
Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.
According to the 46-page lawsuit, unauthorized actors infiltrated MGM’s network on September 7 of this year by “impersonating an IT [administrator] and gaining access credentials.” Once inside the defendant’s system, the cybercriminals “locked down” the network and demanded MGM pay ransom, the suit relays.
Per the case, the ransomware attack lasted at least 10 days, during which MGM was forced to shut down computer systems across its properties, preventing consumers and resort guests from using electronic room keycards, Wi-Fi, ATMs, electronic gaming devices and other services.
Two notorious cybercriminal groups—Scattered Spider and ALPHV—have purportedly taken credit for the attack on MGM’s network and the theft of at least six terabytes of data from its stored files, the complaint explains. The filing shares that the ransomware attack compromised the information of MGM customers and MGM Rewards loyalty program members and included data such as full names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers and/or driver’s license numbers.
The lawsuit argues that MGM, one of the top casino and hotel operators worldwide, “negligently” failed to implement adequate cybersecurity protocols to safeguard consumers’ data, which it allegedly stored unencrypted and unredacted in its network.
What’s more, the suit contends that MGM should have been well aware of the “foreseeable” threat, given that its IT vendor, Okta, had previously warned of this kind of ransomware attack and a high-profile subsidiary, BetMGM, had experienced a data breach in 2022.
However, despite the warnings, the defendant failed to take reasonable data security measures to protect customers’ private information from unauthorized disclosure, the case alleges.
The lawsuit looks to represent anyone in the United States whose personal information was disclosed in the MGM data breach.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.
Video Game Addiction Lawsuits
If your child suffers from video game addiction — including Fortnite addiction or Roblox addiction — you may be able to take legal action. Gamers 18 to 22 may also qualify.
Learn more:Video Game Addiction Lawsuit
Depo-Provera Lawsuits
Anyone who received Depo-Provera or Depo-Provera SubQ injections and has been diagnosed with meningioma, a type of brain tumor, may be able to take legal action.
Read more: Depo-Provera Lawsuit
How Do I Join a Class Action Lawsuit?
Did you know there's usually nothing you need to do to join, sign up for, or add your name to new class action lawsuits when they're initially filed?
Read more here: How Do I Join a Class Action Lawsuit?
Stay Current
Sign Up For
Our Newsletter
New cases and investigations, settlement deadlines, and news straight to your inbox.
Before commenting, please review our comment policy.