MGM Sued for 2019 Data Breach

Plaintiff John Smallman has filed a class-action lawsuit against MGM Resorts International on behalf of himself and others similarly situated in regards to a data breach that occurred in July 2019.  Identifying information of more than 10.6 million guests was allegedly shared online. Smallman is represented by the Tanasi Law Office, Morgan & Morgan Complex Litigation Group, and the Law Office of Paul C. Whalen. The case is being heard in the Nevada District Court before Judge Jennifer A. Dorsey.

The complaint states, “As a result of the Defendant’s failure to implement and follow basic security procedures, MGM customer [personally identifying information] is now at the hand of thieves.” According to the complaint, Internet security specialists found that the information leaked in the data breach presents “a treasure trove” of personal details on customers, many of whom will now “face a higher risk of receiving spear-phishing emails, and being SIM swapped.” (SIM swapping is a technique by which a malicious actor can bypass two-factor authentication.) Some of the exposed information included customer names, addresses, passport numbers, driver’s license numbers, phone numbers, emails and dates of birth. Smallman seeks the certification of a class defined as “All persons whose PII was compromised as a result of the Data Breach announced by MGM on or about September 5, 2019.”

MGM allegedly avoided publicizing the breach, in hopes that their “inadequate cybersecurity practices would go unnoticed.” On September 5, 2019, they issued a written notice regarding the breach, and claimed that immediate measures were taken “to investigate and remediate the incident.”  The complaint criticized this response, and claimed that MGM sought to “avoid additional negative publicity on the heels of the mass shooting that occurred 8 months earlier.”

MGM Resorts International is an entertainment and hospitality company headquartered in Las Vegas, NV operating resorts around the world. Millions of individuals stay at these resorts every year and provide MGM with their personally identifiable information.

As a result of the risks imposed by the breach, Smallman seeks $5,000,000 in damages, exclusive of interest and costs. Although the complaint claims Smallman’s heightened risk of experiencing identity theft and fraud, it does not mention if these have actually occurred.