Even in the world of ransomware attacks, the 2023 ransomware attack on MGM Resorts was exceptional in many ways. Personal information of 37 million people was compromised in the data breach which was perpetrated on September 9, 2023 and was discovered by MGM the next day.
MGM has resorts in the United States in Las Vegas, Atlantic City and Detroit as well as resorts outside of the United States in China and Japan. Las Vegas MGM resorts include the Bellagio, Mandalay Bay, Mirage and Luxor hotels.
The ransomware attack affected 30 MGM Resort properties causing immediate tremendous disruption that lasted for 9 days with guests’ digital key cards inoperable, locking them out of their rooms, as well as affecting slot machines, ATMs and check in systems.
MGM refused to pay the demanded ransom, choosing to shut down its computer systems to reduce the damage until the systems could be restored. Personal information of 37 million people who had stayed at the hotels turned up on the Dark Web site of the ALPHAHV/Black Cat ransomware group in mid-September of 2023. The Dark Web is where criminals buy and sell goods and services. The data included full names, home addresses, phone numbers, email addresses and dates of birth and for some customers also included passport numbers, Social Security numbers and driver’s license numbers.
Now, a year and a half later, a class action on behalf of the victims of the data breach has been settled and the FTC which had been investigating MGM’s cybersecurity measures has dropped all legal actions against MGM.
While the ransomware malware used in the attack was extremely sophisticated, the manner by which the hackers were able to infiltrate the computers of MGM was simple social engineering by which the hacker found an MGM employee on LinkedIn who worked in IT for MGM and then called the MGM help desk posing as the employee and convinced the help desk employee to change the access password for the employee whose identity was used by the hackers. In ten minutes, they were off to the races using their access to MGM’s computer networks to place their ransomware.
Within a month multiple class actions were filed against MGM that were later consolidated into a single class action. The lawsuits alleged that MGM failed to take basic security steps including failing to encrypt or redact sensitive information.
Now the class action has been settled for $45 million and people eligible to make a claim in the class action are receiving email notices with a unique ID and PIN that can be used to file a claim. If your Social Security number was exposed, you may be eligible to receive a $75 cash payment. If your passport number or driver’s license was exposed, you may be eligible to receive a $50 cash payment. If your name, address and birth date were exposed you may be eligible to receive a $20 cash payment. In addition, claimants are eligible for a year of free credit monitoring. The deadline for submitting a claim is June 3, 2025
On the heels of the class actions the FTC commenced an investigation against MGM to determine if MGM’s data security practices violated consumer protection laws including the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act.
The Gramm-Leach-Bliley applies to financial institutions, however, the FTC said that it considered MGM’s casinos to be financial institutions because they allowed high-rollers to gamble using “markers” which are 30 day no-interest loans provided by the casino to its larger gamblers.
On January 25, 2024, the FTC issued a Civil Investigative Demand (CID) seeking information in 100 categories of information which was opposed by MGM in a lawsuit seeking an injunction to block the CID alleging that the FTC’ actions violated MGM’s right to due process and was overly broad and irrelevant to the cyberattack.
In the latest move, on February 25, 2025 the new FTC Chair Andrew Ferguson sent a two paragraph letter to Brian Boyle, an attorney for MGM indicating that the FTC was withdrawing its CID thereby putting an end to its investigation.
The class action settlement and the FTC dropping of its CID doesn’t close the book on the MGM ransomware attack, however, as the Justice Department brought charges in November against five people alleged to have been involved in the MGM ransomware attack along with other cyberattacks.