MGM Resorts Breach

In July 2019, MGM Resorts International-operator of marquee Las Vegas properties such as the Bellagio, Mandalay Bay, and the MGM Grand-experienced a major data breach that ultimately exposed the personal details of roughly 10.6 million former hotel guests. The stolen database surfaced on an underground hacking forum in February 2020, uploaded by a user believed to be connected to the prolific credential-trading group “GnosticPlayers,” which had already leaked billions of records from other companies that year.  
  
The compromised dataset contained full names, home addresses, phone numbers, email addresses and dates of birth for millions of travelers-including celebrities, tech executives, government officials, and law-enforcement agents. MGM said no payment-card numbers, passwords or other highly sensitive identifiers (e.g., Social Security numbers) were included, but security researchers warned that the breadth of contact information alone was sufficient to fuel targeted phishing and social-engineering campaigns.  
  
A subsequent forensic investigation concluded that threat actors had gained “unauthorized access to a cloud server” hosting historical guest records; industry analysts pointed to a misconfigured storage bucket as the likely entry point. MGM brought in two external incident-response firms, yet its initial public statements emphasized that the breach was limited and fully contained-an assurance that critics argued understated the true impact on guests’ privacy.  
  
Although MGM claimed to have notified affected individuals shortly after discovery, the company faced backlash for waiting until the leaked database went viral to provide broader disclosure. That perceived opacity triggered a wave of litigation. Beginning in 2020, more than twenty class-action complaints-including Tanya Owens v. MGM Resorts International-were filed in the U.S. District Court for the District of Nevada, alleging negligence, breach of implied contract, unjust enrichment, and violations of a patchwork of state consumer-protection statutes.  
  
Plaintiffs contended that MGM failed to maintain reasonable security controls, mismanaged its cloud environment, and delayed notifying guests, thereby heightening the risk of identity theft, SIM-swapping, and harassment. They also sought compensation for out-of-pocket expenses such as credit-monitoring services, credit freezes, and the time spent mitigating fraud.  
  
After more than three years of consolidated discovery and mediation, MGM agreed in January 2025 to a global $45 million settlement covering the 2019 cloud-server breach (as well as a separate 2023 ransomware incident). The deal offers tiered cash payments of $20-$75-plus up to $15,000 for documented losses-and a year of financial-account monitoring to U.S. residents whose data was exposed. A final approval hearing is scheduled for June 18, 2025.  
  
The litigation highlights growing judicial impatience with hospitality firms’ lax security practices and delayed transparency. Once approved, the MGM settlement is expected to influence how hotels quantify breach-related harm, the speed at which they must notify guests, and the baseline controls the industry is expected to maintain for customer data stored in public-cloud environments.