MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit claims MGM Resorts International not only failed to properly safeguard customers’ private information but minimized to the public the true extent of a Summer 2019 data breach.

Filed in Nevada, the case claims an unauthorized individual gained access to the hospitality and entertainment giant’s computer network on July 7, 2019 and proceeded to steal the names, addresses, drivers’ license numbers and other personally identifiable information (PII) of more than 10.6 million guests. Rather than promptly disclose the incident, MGM, in an effort to avoid negative press in the wake of the 2017 Las Vegas mass shooting, “avoided bringing the matter to public light, hoping that the [b]reach and its inadequate cyber security practices would go unnoticed,” the lawsuit says.  

According to the complaint, MGM did not notify affected guests that their personal information had been compromised until September 5, 2019 when the company released a statement assuring that “there is no evidence that your information has been misused.” Despite the defendant’s assurances, however, the stolen data was reportedly published on a “popular internet hacking forum, available for misuse by a host of bad actors” in February 2020, the lawsuit says.

Although MGM’s privacy policy purports that the company uses “industry standard” cyber security measures, MGM’s failure to protect customers’ data from unauthorized parties suggests otherwise, the lawsuit argues. The complaint further claims that MGM’s decision to delay informing guests of the breach prevented those affected from taking the steps needed to protect themselves from identity theft and fraud.

As a result of MGM’s failure to safeguard consumer data, the suit contends, guests affected by the breach face “long lasting and severe” consequences, including a heightened risk of identity fraud and theft. Consumers may also be forced to spend time and money on protective measures. The plaintiff stresses that although the defendant offered 12 months of free credit monitoring to those affected by the breach, the olive branch is “wholly inadequate” in that proposed class members face potentially years of an increased risk of identity theft.