Skip to Main Content

MGM Data Breach 2023


MGM Resorts International (MGM) is a global entertainment company with a main headquarters in Las Vegas, Nevada. It is one of the largest casino operators in the entire world. Alarmingly, in 2023, the company announced it was subject to a massive data breach.

As reported by CNN, “the private data of customers who used MGM services before March 2019, including contact information, gender, date of birth and driver’s license numbers, was breached.” Within this article, our Las Vegas attorneys provide a comprehensive overview of the key points to know about the MGM data breach in 2023 and the rights/options of victims. 

An Overview of the 2023 MGM Data Breach

A cybersecurity breach caused a serious problem for MGM in the Fall of 2023. On October 5th, 2023, MGM Resorts Investor Relations put out a press release confirming the incident. Even now an investigation is still underway to determine exactly what happened.

The company emphasized that “on or around September 29, 2023, MGM Resorts determined that an unauthorized third party obtained personal information of some of its customers on September 11, 2023.” Here are key points to know about the 2023 MGM data breach:  

  • A Wide Range of Sensitive Customer Information Exposed: Unfortunately, the cyberattack at MGM impacted sensitive customer information. Indeed, there was reportedly a significant data breach involving the MGM loyalty program database. Personal details such as driver’s licenses, Social Security numbers, full names, phone numbers, and email addresses were compromised. The company noted that pre-2019 members were affected. 
  • Hack Occurred After Group Impersonated Employee: As reported by Kolide, the hack likely began after cyberattackers “impersonated an employee using information likely sourced from social media and the company website.” They reportedly used a complex social engineering technique—including voice phishing and SIM swapping—to give them unauthorized access to MGM’s systems. Once inside, they were able to escalate their privileges and move laterally within the company’s internal network. 
  • A Group Called Scattered Spider Claims Responsibility for Cyber Attack: Scattered Spider, a subgroup of the larger ALPHV ransomware group, claimed the cyber attack on MGM Resorts. The group is known for its expertise in social engineering and has been active in several high-profile ransomware attacks. Their methods typically involve impersonating company insiders to access critical network systems. They then attempt to exploit access to deploy ransomware and steal data.
  • Serious Questions Raised About MGM’s Cybersecurity Practices: Was the MGM cybersecurity breach preventable? Several different experts in the field believe that it was and that it could have been avoided with the right practice. Notably, MGM has had issues related to other data breaches in the recent past. The ease with which the attackers bypassed existing security measures highlights potential weaknesses in MGM’s approach to protecting sensitive customer information. 

FTC is Reviewing the Conduct of MGM, Seeking Information

MGM is currently subject to a review by the Federal Trade Commission (FTC). The FTC is responsible for regulating a wide range of consumer protection matters, including certain data privacy requirements. As reported by Reuters, the FTC and MGM are currently at a legal impasse.

The FTC is seeking additional information about the data breach from MGM. The Las Vegas-based company has filed a lawsuit in an attempt to limit the access of the FTC to its internal records. 

Businesses and Organizations have a Duty to Protect Customer/Client Data

We live in a digital world. Virtually every person in the United States is required to give a wide range of sensitive personal information to businesses and organizations. These entities have a duty to protect customer and client data. It is a responsibility that cannot be taken lightly. Indeed, with the increasing prevalence of data breaches and other types of cyberattacks, well-crafted security measures are an absolute necessity.

The misuse of personal information can lead to serious consequences for affected customers/clients. Cybersecurity is not just about installing the latest anti-virus software or setting up firewalls. It also involves comprehensive risk assessments, regular security audits, and the cultivation of a security-focused culture among employees. 

What to Know About Data Breach Claims (Your Rights and Your Options)

Were you the victim of a company’s data breach in Las Vegas? Whether it was the MGM data breach or any other type of data breach, it is imperative that you know your rights and your options. Notably, there are federal and state regulations in place that provide protection to customers/clients. Here are some key points to be aware of: 

  • The Right to Notification: As a general rule, companies are generally required by law to notify affected individuals of data breaches that may impact their personal information. The notification should include details of what information was involved, how the breach occurred, and what measures are being taken in response. Notice should be timely. 
  • Credit Monitoring: After a data breach involving sensitive financial information, you often have the right to receive free credit monitoring services. These services help to alert you to potentially fraudulent activity involving your credit information.
  • Legal Recourse: You may have the option to join a class-action lawsuit if a breach occurs due to negligence. Alternatively, you might seek individual litigation if the breach has led to financial losses. If you have any questions about a data breach claim—whether an individual lawsuit or a class action claim—a top-tier Las Vegas lawyer can help. 
  • Regulatory Complaints: You can file a complaint with appropriate governmental bodies. In the U.S., this could be the Federal Trade Commission (FTC) or the Nevada Attorney General’s Office. Federal and state agencies can investigate the breach. They may impose civil penalties and/or take action to recover compensation for affected consumers. 

Have Questions About the MGM Data Breach? We are Here to Help

At Ace Law Group, we are committed to providing top-tier, solutions-focused advocacy to clients. Our firm knows how to hold large corporations and big insurance companies accountable. We have recovered tens of millions in compensation for clients across our practice areas.

Have questions about a legal matter? Contact us at our Las Vegas office today for a free, no-obligation consultation.