After two major data breaches that exposed the personal information of millions of guests, MGM Resorts International has agreed to a $45 million class action settlement. The case, which is awaiting final approval, brings attention to the growing cybersecurity risks in the hospitality industry, which is a field that handles large amounts of customer data. Incidents like this raise questions that a data breach lawyer is often asked to handle: What happens when a company fails to protect sensitive information?
Two major breaches, four years apart
MGM faced two separate cyberattacks, one in July 2019 and the other in September 2023, both of which exposed customer data. The 2023 incident was particularly severe, shutting down slot machines, reservation systems, and room keys at some of Las Vegas’s most famous resorts. MGM later disclosed that the breach resulted in more than $100 million in losses. Together, these two events compromised the personal data of approximately 37 million individuals.
What information was compromised?
According to the lawsuit, hackers gained access to:
- Names and mailing addresses
- Email addresses and phone numbers
- Birth dates
- Driver’s license and passport numbers
- Military ID numbers
- Social Security numbers
This type of data can be used to commit identity theft and fraud. Plaintiffs alleged that MGM could have prevented these breaches with stronger security systems and better safeguards.
Settlement details
The settlement was filed in federal court in Nevada and consolidated claims from both breaches. Though MGM did not admit wrongdoing, the company agreed to a $45 million fund to resolve the case.
Compensation was based on the type of data exposed. Payments included:
- $75 for those whose Social Security or military ID numbers were compromised
- $50 for those with passport or driver’s license numbers exposed
- $20 for those whose name, address, or birth date was leaked
Eligible individuals were able to claim up to $15,000 in documented losses, including costs tied to identity theft or fraud. All class members were also offered one year of free financial account monitoring.
The MGM data breach settlement has since closed. The deadline to report a data breach was June 3, 2025, and the final approval hearing took place on June 18, 2025. Eligible individuals should have received direct notification from MGM if they were part of the class.
Ongoing regulatory scrutiny
Even though the MGM class action has ended, the company’s handling of the 2023 data breach is still drawing attention, especially after the Federal Trade Commission (FTC) dropped its investigation.
When the FTC launched its investigation, it requested that MGM provide details about its security practices. MGM responded by suing the agency. While the lawsuit was pending, MGM also lobbied Congress to block the investigation. In mid-2024, lawmakers passed a bill that prevented the FTC from using funds to pursue it.
In 2025, Andrew Ferguson was appointed as the FTC Chair. One of his first moves was to drop the case entirely, which ended any federal oversight of MGM’s role in the breach.
Critics say this decision reflects a broader shift in the agency’s approach to data privacy. Since then, the FTC has also removed key guidance on data breach enforcement from its website, raising questions about whether consumer data protection remains a priority.
What consumers can take away from this case
MGM’s experience shows how much is at stake when large companies handle personal information. While the settlement is over, the lessons still apply. Everyone should remain cautious about how and where they share their data with businesses in any industry. For companies, the message is clear that cybersecurity is a foundational part of doing business.
If you ever receive notice of a breach, take action quickly, change your passwords, enable two-factor authentication, and monitor your financial accounts and credit reports for suspicious activity. In more serious cases, a fraud alert or credit freeze may help prevent identity theft.
Learn more from Mason LLP
Mason LLP is committed to helping consumers understand their rights after a data breach. Our team has recovered over $1 billion on behalf of clients in cybersecurity and consumer protection cases.
If you have questions about how your information has been used or stored, or believe your privacy was compromised, Call (202) 429-2290 or contact us online today to learn more about your legal options. We offer free consultations and are here to help.