A proposed class action lawsuit claims MGM Resorts International not only failed to properly safeguard customers’ private information but minimized to the public the true extent of a Summer 2019 data breach.
Filed in Nevada, the case claims an unauthorized individual gained access to the hospitality and entertainment giant’s computer network on July 7, 2019 and proceeded to steal the names, addresses, drivers’ license numbers and other personally identifiable information (PII) of more than 10.6 million guests. Rather than promptly disclose the incident, MGM, in an effort to avoid negative press in the wake of the 2017 Las Vegas mass shooting, “avoided bringing the matter to public light, hoping that the [b]reach and its inadequate cyber security practices would go unnoticed,” the lawsuit says.
According to the complaint, MGM did not notify affected guests that their personal information had been compromised until September 5, 2019 when the company released a statement assuring that “there is no evidence that your information has been misused.” Despite the defendant’s assurances, however, the stolen data was reportedly published on a “popular internet hacking forum, available for misuse by a host of bad actors” in February 2020, the lawsuit says.
As a result of MGM’s failure to safeguard consumer data, the suit contends, guests affected by the breach face “long lasting and severe” consequences, including a heightened risk of identity fraud and theft. Consumers may also be forced to spend time and money on protective measures. The plaintiff stresses that although the defendant offered 12 months of free credit monitoring to those affected by the breach, the olive branch is “wholly inadequate” in that proposed class members face potentially years of an increased risk of identity theft.