MGM will pay $45 million to settle data breach lawsuit

The class-action lawsuit covered data breaches in 2019 and 2023 that exposed 37 million customer’s information.

by Jess Weatherbed

Jan 29, 2025, 4:04 PM UTC

A final hearing will take place in June.

The Verge / Beatrice Sala

Jess Weatherbed is a news writer focused on creative industries, computing, and internet culture. Jess started her career at TechRadar, covering news and hardware reviews.

MGM Resorts International has agreed to pay $45 million to settle a lawsuit over data breaches that collectively exposed the personal information of 37 million customers. The case consolidated 22 class-action lawsuits filed over two security incidents: a data breach in 2019, and a ransomware attack in 2023.

Lawyers for the victims said in district court filings that both data breaches saw hackers access MGM’s systems and obtain identifiable customer data, including names, addresses, phone numbers, email addresses, dates of birth, and passport numbers. Further information was also stolen in the 2023 ransomware attack that shut down Las Vegas slot machines and ATMs, including driver’s license numbers, military ID numbers, and Social Security numbers.

The $45 million will be dispersed to those impacted by the breaches as $75, $50, or $20 payments through a tiered system based on what information a person had stolen. Victims who can provide documentation of further losses that resulted from having their information stolen in the breaches can claim up to $15,000.

A federal court has granted preliminary approval on the settlement, with a final hearing set to take place on June 18th. While the settlement deals with its class action lawsuit, MGM Resorts is still under investigation by the Federal Trade Commission over how it handled the 2023 ransomware attack, despite its attempts to block the probe.

Follow topics and authors from this story to see more like this in your personalized homepage feed and to receive email updates.