MGM Resorts International has agreed to pay $45 million to settle a class-action lawsuit over two major data breaches that exposed the personal data of millions of guests in 2019 and 2023. Eligible individuals may receive up to $75 as part of the settlement, with higher compensation available for documented financial harm.
Timeline of the Data Breaches: 2019 and 2023
The first breach occurred in July 2019, followed by a second in September 2023. In both cases, attackers accessed large volumes of customer data.
Compromised data included:
- Full names
- Email addresses
- Phone numbers
- Mailing addresses
- Dates of birth
In more severe cases, attackers obtained:
- Social Security numbers
- Passport details
- Driver’s license numbers
- Military identification numbers
Legal Action and Settlement Details
A class-action lawsuit, led by plaintiff Tonya Owens, was filed on behalf of affected customers. The lawsuit accused MGM Resorts of failing to safeguard data it had promised to keep confidential. The settlement resolves these claims.
MGM Resorts denies wrongdoing but has agreed to the payout to resolve the matter efficiently. The company operates several hospitality properties in Las Vegas, Japan, and other locations.
Eligibility and Compensation Tiers
To qualify for payment, individuals must have received an official notification from MGM confirming they were impacted by either the 2019 or 2023 breaches.
Compensation is categorized based on the sensitivity of the data exposed:
- $75 if sensitive identifiers such as Social Security numbers or military IDs were compromised
- $50 if documents like passports or driver’s licenses were exposed
- $20 for exposure of basic personal data (e.g., name, email, birthdate)
No supporting documentation is required for these base claims. However, individuals must submit a completed claim form by June 3, 2025
Additional Claims for Financial Losses
Those who experienced measurable harm such as identity theft or financial fraud can submit claims up to $15,000.
To qualify, documentation is required, such as:
- Bank statements showing unauthorized charges
- Police reports
- Credit monitoring invoices
- Any other proof of out-of-pocket losses or efforts to resolve identity theft issues
How to File or Opt Out
Claims can be submitted via the official settlement website, where users can:
- Check if they’re eligible
- File a payment claim
- Choose to opt out if they intend to pursue independent legal action
The opt-out deadline is May 19, 2025. The final settlement hearing is scheduled for June 18, 2025 in Las Vegas.
Context and Industry Impact
This is not the first such settlement in the . Similar legal actions have followed data breaches at other companies, including ParkMobile. These incidents continue to raise concerns about data privacy, security governance, and the legal risks organizations face after breaches.
