Data Security, Ransomware

MGM, Caesars Hit With Class Action Lawsuits Over Massive Breach of Personal Information

MGM Resorts

Six class action lawsuits filed in Nevada District Court claim that MGM Resorts and Caesars Entertainment failed to protect the personal identifiable information (PII) of their loyalty program customers.

The lawsuits, according to a Las Vegas Review-Journal report, allege that MGM’s and Caesars’ negligence caused sensitive data to be hijacked by ransomware extortionists that attacked the resorts three weeks ago. In a Securities and Exchange Commission filing, Caesars acknowledged that a hacker had gained access to the PII of the company’s loyalty program customers, including driver’s licenses and social security numbers.

According to the Review-Journal account, the lawsuits allege that MGM and Caesars knew they should have protected their customers’ PII and that they failed to comply with Federal Trade Commission guidelines and industry standards. The plaintiffs contend they are now more vulnerable to identity theft.

Caesars reportedly paid a multimillion-dollar ransom to unlock its network systems but it is not clear if MGM has followed suit.

Eastern European hackers ALPHV and Scattered Spider have claimed responsibility for the ransomware attacks.

Second Lawsuit Targets MGM

In another case involving MGM only, the company has been hit with a class action lawsuit that argues the data breach cost customers the privacy of their PII.

The plaintiff, Tonya Owens of Mississippi, filed the class action lawsuit contending that MGM was negligent in failing to prevent the cyberattack that resulted in the data breach, as reported by Top Class Actions, a legal news source, and other outlets.

Owens wants to represent a nationwide class of consumers who had their PII exposed in the MGM data breach that began September 7. Owens claims that MGM’s negligence enabled the hackers to make off with credentials by impersonating a systems administrator. The breach led to exposing customers’ PII, including names, birthdates, addresses and social security numbers.

“Defendant failed to adequately protect Plaintiff’s and Class members PII — and failed to even encrypt or redact this highly sensitive information,” the MGM class action states, according to the Top Class Actions report.

Owens claims that MGM did not protect the PII of its customers despite assuming “legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion,” Top Class Action reported.

“This unencrypted, unredacted PII was compromised due to defendant’s negligent and/or careless acts and omissions and its utter failure to protect consumers’ sensitive data,” the MGM class action reportedly states.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.