MGM Resorts International customers who allege the company allowed their data to be breached by hackers are suing the company in federal court.
In a class-action lawsuit, MGM Resorts International is being sued for a data breach that landed personal information for close to 11 million individuals in the hands of hackers and on a public website.
The breach, acknowledged by MGM to customers last year, took place in the summer of 2019, according to the suit.
“MGM has indicated that, on or about September 5, 2019, it notified affected customers that their PII [personally identifiable information] had been exfiltrated, but assured them that ‘there is no evidence that your information has been misused,'” the suit says.
“Seeking to avoid additional negative publicity on the heels of the mass shooting that occurred 8 months earlier, MGM avoided bringing the matter to public light, hoping that the Breach and its inadequate cyber security practices would go unnoticed,” the suit incorrectly alleges. The shooting massacre on the Las Vegas Strip took place on October 1, 2017, not eight months before the breach in the summer of 2019.
“Unfortunately, the miscreants that took and/or acquired the sensitive PII had other plans, and on February 19, 2020, internet technology publication ZDNet revealed that the personally identifiable information of more than 10.6 million MGM hotel guests had been posted on a popular internet hacking forum, available for misuse by a host of bad actors,” according to the lawsuit.
“The Data Breach was a direct result of Defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect customer PII,” the suit says.
“We will continue to hold companies accountable for the harm they cause in people’s lives until they start treating consumers’ data with the care it deserves,” plaintiffs’ attorneys John Morgan and John Yachunis said in a statement to the Current.
MGM Resorts International did not immediately respond to requests for comment, but has told other media outlets the breached data amounts to information such as names and addresses commonly found in phone directories.