MGM International Resorts Data Breach Litigation Settlement: $45M Approved—Payments Just Started December 12, 2025

MGM Resorts International agreed to a $45 million settlement resolving claims from two massive data breaches affecting 37 million customers—one in July 2019 and another in September 2023 that crippled Las Vegas Strip operations. A federal judge granted final approval on June 18, 2025. Payments for approved cash claims just began December 12, 2025, with financial monitoring enrollment emails starting December 16, 2025. The claim deadline passed June 3, 2025. The settlement ranks among the largest hospitality data breach recoveries in US history.

What the MGM Data Breach Litigation Alleged

Multiple class action lawsuits consolidated into multidistrict litigation in the U.S. District Court for the District of Nevada accused MGM Resorts of negligence and failure to implement adequate cybersecurity measures to protect customer data.

The Two Separate Breaches:

July 2019 Breach: An unauthorized individual accessed MGM’s computer network without permission and downloaded partial customer data, which later appeared on dark web forums for sale. This breach compromised up to 200 million guests worldwide who stayed at MGM properties through December 31, 2017.

September 2023 Ransomware Attack: Cybercriminals gained access credentials by impersonating an IT administrator through social engineering. The attack paralyzed MGM’s operations for days, shutting down slot machines, reservation systems, hotel room keys, and mobile check-ins across Las Vegas Strip properties. MGM reported approximately $100 million in losses from system downtime alone.

Plaintiff Tonya Owens and other class representatives argued MGM was negligent in failing to prevent both breaches and should have implemented stronger security systems and better safeguards.

The Compromised Data: What Was Stolen

The breaches exposed varying levels of personally identifiable information (PII) for approximately 37 million individuals:

Information Compromised:

• Names
• Home addresses
• Phone numbers
• Email addresses
• Dates of birth
• Driver’s license numbers
• Passport numbers
• Military identification numbers
• Social Security numbers (for a subset of victims)

The 2019 breach involved the most extensive data exposure, potentially affecting up to 200 million guests worldwide. The 2023 attack compromised fewer individuals but caused more immediate operational chaos.

How the September 2023 Attack Unfolded

The 2023 incident revealed how sophisticated social engineering attacks can bypass even robust technical safeguards.

The Attack Method:

Hackers used a technique called “vishing” (voice phishing) to convince MGM IT staff they were legitimate administrators. Once attackers obtained access credentials, they deployed ransomware that encrypted critical systems.

The Operational Impact:

For over a week, MGM properties operated in crisis mode:

• Slot machines went dark
• Guests couldn’t check in electronically
• Room keys stopped working
• Reservation systems crashed
• Staff processed transactions manually with pen and paper
• ATMs were disabled
• Loyalty program access was blocked

The chaos unfolded at MGM Grand, Bellagio, Aria, Mandalay Bay, and other iconic Las Vegas resorts during peak tourist season.

MGM chose not to pay the ransom, instead methodically restoring systems. Competitor Caesars Entertainment suffered a similar attack around the same time but reportedly paid $15 million to the hackers.

Legal Claims: Why MGM Faced $45 Million Settlement

Plaintiffs alleged multiple legal violations:

Negligence: MGM failed to implement reasonable cybersecurity measures despite known threats. The 2019 breach should have prompted enhanced security, yet the 2023 attack succeeded through basic social engineering.

Breach of Implied Contract: By collecting customer data, MGM implicitly promised to protect it with reasonable security measures.

Violations of State Data Breach Notification Laws: Multiple states require timely breach notification. Plaintiffs alleged delays and inadequate disclosures.

Violations of Consumer Protection Statutes: MGM’s security failures constituted unfair or deceptive business practices under various state consumer protection laws.

Breach of Confidence: Customers trusted MGM with sensitive information. The company’s security failures breached that confidence.

Lead counsel John Yanchunis of Morgan & Morgan led the consolidated litigation through extensive discovery, expert depositions, and mediation before reaching the settlement.

The $45 Million Settlement Breakdown

MGM agreed to a comprehensive settlement without admitting wrongdoing:

Cash Payments:

Class members who experienced documented losses could receive up to $15,000 per person for:

• Fraud losses
• Identity theft expenses
• Credit monitoring fees
• Credit report costs
• Credit freeze fees
• Professional fees (attorneys, accountants for identity theft recovery)
• Time spent responding to the breach (reimbursed at hourly rates)
• Other out-of-pocket costs

Tiered Cash Payments:

The settlement established payment tiers based on the type of information compromised:

• Tier 1: Social Security numbers or passport numbers compromised
• Tier 2: Driver’s license or military ID numbers compromised
• Lower tiers: Other PII compromised

Financial Account Monitoring:

All class members receive one year of free financial account monitoring, including:

• Three-bureau identity theft protection
• Credit monitoring across Experian, Equifax, and TransUnion
• At least $1 million in fraud and identity theft insurance
• Dark web monitoring
• Lost wallet assistance

Attorney Fees and Costs:

Class counsel received approximately $11.25 million (25% of the settlement fund) plus litigation expenses. Lead plaintiffs received service awards of approximately $23,000 and $13,000 respectively.

Critical Timeline: Settlement Through Payout

November 1, 2017: Initial plaintiff files lawsuit after 2017 data exposure

July 2019: First breach publicly disclosed; breach notices sent to fraction of affected guests

September 7, 2023: Second ransomware attack begins

September 2023: Plaintiff Tonya Owens files lawsuit over 2023 breach

2024: Multiple lawsuits consolidated into multidistrict litigation

January 28, 2025: Court grants preliminary settlement approval

February-April 2025: Class notices sent with unique claim IDs

May 19, 2025: Deadline to opt out or object (only one objection received, dismissed as untimely)

June 3, 2025: Claim filing deadline passes

June 18, 2025: Final approval hearing; Judge grants final approval

December 12, 2025: First wave of payments issued for approved cash claims (payments just started 12 days ago!)

December 16, 2025: Financial monitoring enrollment emails begin

Who Was Eligible for the Settlement

To qualify, you needed to:

• Be a U.S. resident whose private information was compromised in the July 2019 and/or September 2023 MGM data breaches
• Have received a breach notification from MGM (class members got notices with unique IDs between February-April 2025)
• Submit a valid claim form by June 3, 2025

MGM Hotel Brands Affected:

The 2019 breach involved guests who stayed at MGM properties including:

• MGM Grand
• Bellagio
• Aria
• Mandalay Bay
• Luxor
• Excalibur
• New York-New York
• Monte Carlo (now Park MGM)
• The Mirage
• Circus Circus
• And other MGM-operated properties worldwide

The FTC Investigation That Vanished

The case took an unusual turn regarding federal oversight.

After the 2023 breach, the Federal Trade Commission launched an investigation into MGM’s security practices and requested detailed information about the company’s safeguards.

MGM’s Response:

Rather than cooperate, MGM sued the FTC and lobbied Congress to block the investigation. In mid-2024, lawmakers passed a bill preventing the FTC from using funds to pursue the MGM case.

The Investigation Ends:

When Andrew Ferguson became FTC Chair in 2025, one of his first actions was dropping the MGM case entirely. This ended any federal oversight of MGM’s role in the breaches.

The closure of the FTC investigation meant the class action settlement became the only meaningful accountability mechanism for MGM’s security failures.

What This Settlement Means for Corporate Cybersecurity

The MGM case establishes critical precedents for hospitality and entertainment companies handling consumer data.

Key Lessons:

1. Repeat Breaches Increase Liability: MGM faced heightened scrutiny because the 2023 attack occurred after the 2019 breach. Courts and plaintiffs argued MGM should have strengthened defenses after the first incident.

2. Social Engineering Is a Legal Vulnerability: Even though the 2023 breach involved sophisticated social engineering rather than technical exploits, courts still held MGM accountable. Companies must train employees to recognize phishing and vishing attacks.

3. Operational Disruption Isn’t a Defense: MGM’s argument that the ransomware attack was beyond its control didn’t absolve liability. Companies have a duty to implement safeguards that prevent or mitigate such attacks.

4. Notification Delays Have Consequences: Plaintiffs successfully argued MGM didn’t notify all affected individuals promptly. The 2019 breach affected up to 200 million guests, but MGM sent notices to only a fraction initially.

5. Tiered Damages Reflect Harm Severity: The settlement’s tiered structure recognized that compromising Social Security or passport numbers creates greater identity theft risk than compromising names and addresses.

Similar Data Breach Settlements for Context

MGM’s $45 million settlement ranks among the largest in hospitality but is dwarfed by other major breaches:

Equifax (2017) – $425 Million: The credit bureau’s breach affected 147 million consumers. Settlement provided cash payments, credit monitoring, and identity theft insurance.

Yahoo (2013-2016) – $117.5 Million: Multiple breaches affected all 3 billion Yahoo accounts. Settlement faced criticism for low individual payouts due to high claim numbers.

Capital One (2019) – $190 Million: Bank data breach compromised 100 million customers. Settlement combined regulatory penalties with class action resolution.

Marriott/Starwood (2014-2018) – $52 Million: Hotel chain breach affected 339 million guests worldwide. Like MGM, involved passport numbers and loyalty program data.

The Marriott case is particularly relevant because it also involved hospitality guest data and established that companies acquiring other businesses can inherit liability for predecessor security failures.

The Financial Impact on MGM Resorts

The breaches cost MGM far more than the settlement:

Direct Costs:

• $45 million settlement
• $100 million in operational losses from 2023 attack downtime
• Legal fees and litigation costs
• Cybersecurity upgrades post-breach
• Initial credit monitoring offered to affected customers

Indirect Costs:

• Reputational damage
• Stock price decline (fell 4% immediately after 2023 breach announcement)
• Customer trust erosion
• Regulatory scrutiny
• Lost business during operational disruption

MGM’s stock gradually recovered through 2024 as Las Vegas tourism rebounded, with shares trading in the mid-$50 range by early 2025. The settlement announcement in January 2025 had minimal additional impact, suggesting investors had already priced in the liability.

What MGM Changed After the Breaches

Following the attacks, MGM implemented several security enhancements:

Technical Safeguards:

• Enhanced multi-factor authentication for all system access
• Improved network segmentation to contain breaches
• More frequent security audits and penetration testing
• Advanced threat detection and monitoring systems

Human Safeguards:

• Comprehensive employee training on social engineering tactics
• Mandatory security awareness refreshers
• Enhanced verification procedures for access requests
• Incident response team expansion

Process Changes:

• Updated incident response plans
• Improved breach notification procedures
• Enhanced vendor security requirements
• Regular third-party security assessments

However, critics note these measures came only after two major breaches—suggesting reactive rather than proactive security culture.

Frequently Asked Questions

Q: Can I still file a claim?

No. The June 3, 2025 deadline has passed. Only individuals who submitted valid claims by that date will receive payment.

Q: I filed a claim. When will I receive payment?

Cash payments for approved claims just started December 12, 2025—only 12 days ago! If you haven’t received payment yet, this is normal. The settlement administrator is processing thousands of claims. Contact them at 888-899-8358 if you have concerns. Financial monitoring enrollment emails began December 16, 2025.

Q: How do I know if my claim was approved?

The settlement administrator (JND Legal Administration) should have notified you. If you’re unsure about your claim status, call 888-899-8358 or visit www.mgmdatasettlement.com.

Q: What if I never received a breach notification from MGM?

Only individuals who received breach notifications and were sent settlement notices with unique claim IDs between February-April 2025 were eligible to participate.

Q: How much will I actually receive?

Payment amounts vary based on:

• The tier of information compromised
• Whether you submitted documentation for out-of-pocket losses
• Total number of approved claims (pro rata distribution if claims exceed fund)

Q: Does MGM admit it was negligent?

No. Like most settlements, MGM resolved the claims without admitting or denying wrongdoing.

Q: Could there be more MGM breaches?

Any company faces ongoing cybersecurity threats. MGM claims to have enhanced security, but the hospitality industry remains a target-rich environment for hackers.

Q: Can I still sue MGM separately?

No. By not opting out by the May 19, 2025 deadline, class members released MGM from further liability related to these breaches.

Q: What happened to unclaimed funds?

Any unclaimed funds will be donated to the UNLV Cyber Clinic, a nonprofit organization supporting cybersecurity education and advocacy.

Q: Were MGM executives held personally liable?

No individuals were named as defendants. The settlement applies only to MGM Resorts International as a corporation.

Q: How does this compare to other hotel breach settlements?

MGM’s $45 million settlement is significant but lower than Marriott’s $52 million despite MGM’s breach affecting fewer people. Settlement amounts depend on negotiation dynamics, litigation costs, and jurisdiction.

What Happens If You Experience Identity Theft

If you were affected by the MGM breaches and later experience identity theft:

Immediate Steps:

1. Place Fraud Alerts: Contact one of the three credit bureaus to place a fraud alert on your file
2. Review Credit Reports: Obtain free credit reports and review for unauthorized accounts
3. File Identity Theft Report: Report to FTC at IdentityTheft.gov and local police
4. Contact Financial Institutions: Alert banks and credit card companies of potential fraud
5. Document Everything: Keep detailed records of all communications and fraudulent charges

Use Settlement Benefits:

If you received financial monitoring through the settlement, activate those services immediately. The monitoring includes identity theft insurance that may cover recovery costs.

Consider Credit Freeze:

A credit freeze prevents new accounts from being opened in your name. Unlike fraud alerts, freezes must be placed with all three bureaus separately and remain until you lift them.

The Broader Implications for Hospitality Industry

MGM’s experience sends clear signals to hotels, casinos, and entertainment companies:

Regulatory Landscape Shifting:

While the FTC dropped its MGM investigation, state attorneys general are increasingly active in data breach enforcement. California, New York, and Massachusetts have been particularly aggressive.

Customer Expectations Changing:

Guests now expect transparency about breaches and proactive protection. Companies that delay notification or minimize breach severity face harsher legal and reputational consequences.

Insurance Market Tightening:

Cyber insurance premiums have skyrocketed post-COVID as breach frequency increased. Insurers now scrutinize security practices before issuing policies and may deny coverage for preventable attacks like social engineering.

Security Investment Is Mandatory:

The settlement establishes that reasonable cybersecurity isn’t optional. Companies face liability for failing to implement industry-standard safeguards, even if attacks use novel methods.

Contact Information for Questions

Settlement Administrator: MGM Data Incident Litigation Settlement Administrator P.O. Box 3020 Portland, OR 97208-3020

Toll-Free: 888-899-8358 Website: www.mgmdatasettlement.com

Class Counsel: John A. Yanchunis Morgan & Morgan Complex Litigation Group

E. Michelle Drake Berger Montague PC

J. Gerard Stranch IV Stranch, Jennings & Garvey PLLC

This article provides general information about the MGM Resorts data breach settlement. For specific legal or cybersecurity advice, consult appropriate professionals. Information is current as of December 24, 2025.

Case Name: In re: MGM Resorts International Data Breach Litigation
Court: United States District Court for the District of Nevada
Lead Plaintiffs: Tonya Owens and other class representatives

About the Author

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah