A federal court has granted preliminary approval of a $45 million settlement in two data breach class-action lawsuits against Las Vegas-based MGM Resorts International.

Final approval of the settlement, which involved cyberattacks carried out against MGM resorts in July 2019 and September 2023, is expected in June. The court consolidated the two similar cyberattack class actions.

Under terms of what is called a global settlement, class members whose Social Security numbers or military identification numbers were exposed are eligible for a $75 cash payment while those whose passport number or driver’s license was exposed are eligible for $50. In addition, all settlement class members may get identity theft protection and credit monitoring.

In court documents filed in U.S. District Court in Nevada, attorneys for the class action estimated that MGM has a database of around 37 million customers.

“On behalf of millions of MGM Resort customers, I’m very pleased with this settlement,” said Douglas McNamara, co-lead interim class counsel and a partner at Cohen Milstein. “The hotel and entertainment industries are particularly desirable targets for hackers. The same hackers also attacked Caesars Entertainment Inc. in 2023.”

McNamara is interim co-lead class counsel in a similar class action against Caesars as well.

A representative of MGM had no comment about the settlement.

MGM, which operates 11 gaming and nongaming resort properties in Las Vegas, including Bellagio, MGM Grand, Aria and Mandalay Bay, was crippled for several days by the second cyberattack in September 2023. Insurance coverage ultimately paid for most of the estimated $100 million in damages brought by the attack.

The attack against MGM last year was the second in two months. In August, a similar attack against Caesars ended quickly when the company reportedly paid a multimillion-dollar ransom to the attackers. Law enforcement officials advised MGM not to pay, and it didn’t.

Nine days of turmoil

But the nine days of turmoil at MGM properties disrupted business for Nevada’s largest employer.

MGM resorts in Las Vegas and across the United States were unable to process credit card transactions, the websites and app were down, in-casino ATMs were offline and their paid parking access was compromised. Apps on cellphones used to access hotel rooms didn’t work. Restaurant and attraction reservation systems failed. Company email also was offline.

The company, fearing worse damage to their systems, shut down networked slot machines and had to pay slot machine winners manually instead of through a machine’s ticket in-ticket out system that produces vouchers that could be redeemed for cash or inserted into other machines.

By November 2023, the company rebounded, thanks, in part, to the inaugural Formula One Las Vegas Grand Prix that drew thousands of guests to the company’s resorts.

Arrest in England

Around 10 months after the attack, in July, law enforcement officials in England arrested an unidentified 17-year-old boy who was released on bond after being apprehended by the Regional Organised Crime Unit for the West Midlands in Wallsal, a small city in central England. Representatives of the unit were assisted by Britain’s National Crime Agency, the U.S. Federal Bureau of Investigation and MGM.

There was no indication how the suspect was affiliated with hacker gangs identifying themselves as Scattered Spider and ALPHV, which claimed responsibility for hacking into MGM and Caesars computer systems.

The cyberattack also triggered another lawsuit in April 2024 with MGM accusing the Federal Trade Commission and its then-chairwoman, Lina Khan, of violating the company’s Fifth Amendment right to due process.

In its four-count action, MGM also alleged the FTC failed to follow its own conflict-of-interest guidelines.

Khan was among those who checked into the MGM Grand right after the cyberattack began.

Earlier this month, she was replaced as FTC chair by Andrew Ferguson when President Donald Trump took office.

The lawsuit, filed in U.S. District Court for the District of Columbia, sought to stop the FTC from seeking a civil investigative demand in its investigation of MGM related to the cyberattack.

___

©2025 Las Vegas Review-Journal. Visit reviewjournal.com.. Distributed by Tribune Content Agency, LLC.