MGM Resorts International Data Breach

Notice for California Consumers

MGM Resorts International has recently admitted to disclosing sensitive customer information because of a data breach of its computer systems. Under California law, victims such as their customers, may be entitled to up to $750.

What Happened?

MGM Resorts International recently announced a data breach that exposed confidential customer information. If you have received services from MGM Resorts International and received a notice of the data breach, we can help navigate the next steps to answer your questions.

Both MGM Resorts International both experienced a large-scale cyberattack, forcing the company to shut down several properties in Las Vegas and around the world. While the MGM cyberattack is still under investigation, it has caused many to fear the possibility of a data breach involving confidential employee and customer information. If, upon completing its investigation, MGM determines that confidential information was leaked, the company will need to file data breach notification to state attorney generals and send out data breach notification letters to all individuals whose information was affected by the recent data security incident.

MGM Resorts International includes: Bellagio, Aria, Vdara, The Cosmopolitan, MGM Grand Las Vegas, The Signature at MGM Grand, Mandalay Bay, Delano Las Vegas, Park MGM, Nomad Las Vegas, New York-New York, Luxor, Excalibur, Beau Rivage Biloxi (MS), Borgata Hotel and Casino (NJ), Empire City Casino (NY), MGM Grand (MI), MGM National Harbor (MD), MGM Springfield (MA), MGM Northfield Park (OH), Bellagio (Shanghai), MGM Macau, MGM Grand Sanya, MGM Cotai and BetMGM.

What Are Data Breaches?

Data breaches occur when a business that holds data about consumers discloses, willingly or otherwise, that consumer information. Frequently, data breaches are the result of malicious conduct by third parties, such as hackers, who illegally gain access to a business’s data and either misuse it themselves (e.g., for identity theft or fraud) or sell or trade that data with others, often on the “dark web”—the portion of the internet that does not appear in search engine results and where a great deal of unlawful online activity takes place.

Unfortunately, in the modern age, data breaches have become a fact of life. Where data breaches are the result of insufficient protections put in place by the affected business, however, the business may be required to compensate the victims whose personal data was taken and disclosed. To qualify for compensation under the CCPA, the victim must be a California resident and must have experienced the disclosure of certain types of information (listed below).

What is the CCPA?

The CCPA refers to the California Consumer Privacy Act, which is a comprehensive data privacy law enacted in the state of California. It was signed into law in June 2018 and went into effect on January 1, 2020. The CCPA aims to enhance privacy rights and consumer protection for residents of California.

The key provisions of the CCPA include consumer rights, business obligations, and data breach liability.

It is important to note that the CCPA has been influential in shaping data privacy discussions and legislation in other jurisdictions, both within the United States and internationally. Other states in the U.S. have also started enacting similar privacy laws, and there have been ongoing discussions at the federal level to establish a comprehensive national privacy law.

What is the CPRA?

The CPRA refers to the California Privacy Rights Act, which is also known as Proposition 24. It is a privacy law that builds upon the CCPA to further enhance privacy rights and protections for California residents. The CPRA was approved by California voters in the November 2020 election and became effective on January 1, 2023.

The CPRA aims to enhance consumer privacy rights, provide individuals with more control over their personal information, and increase accountability and transparency for businesses operating in California.

What are the Risks of Data Breaches?

Becoming the victim of a data breach can be a stressful and frightening experience, as personal private information is disclosed to individuals who should not have access to that private data. Data breaches can be personally embarrassing and can place the victims at an increased risk of fraud or identity theft, as their stolen data can be misused by criminal actors, often long after the breach itself. For example, where a username and password are disclosed as part of a data breach, bad actors might make use of that information to illegally access accounts.

In some cases, the information disclosed through the data breach can be profited from immediately, such as by using login information to drain financial accounts or make purchases. In other cases, the personal information disclosed is bought and sold online where it can be used in conjunction with data from other sources (including other data breaches) as part of an identity theft attempt. In other words, it is often impossible to know the true risks of a data breach until long after the breach has occurred, as criminals may be analyzing and aggregating the stolen data into comprehensive identity theft packages. This is why holding businesses accountable for their insufficient data protections is important.

What Personal Information is at Issue?

While every data breach is somewhat unique, a data breach is defined by an improper disclosure of personal information. California law can provide for compensation of $100 to $750 when the following kinds of information are disclosed:

• First name, or first initial and last name, in combination with any of the following:
  • Social security number
  • Driver’s license number
  • California identification card number
  • Tax identification number
  • Passport number
  • Military identification number
  • Any other unique identification number issued on a government document that is commonly used to verify identity
  • Account number or credit or debit card number, in combination with any required security code, access code, or password, that would permit access to an individual’s financial account
  • Medical information
  • Health insurance information
  • Biometric data, e.g. fingerprint, retina scan, iris image
  • Genetic data

What Can I Do?

Unfortunately, in most cases of a data breach the stolen data is never recovered. As such, any data disclosed as part of a data breach has effectively entered the public domain, and may be repeatedly accessed, traded, bought, and sold by criminal actors online.

The first thing to do when discovering that you have been victimized in a data breach is to immediately change login information such as passwords to a new and unique password for the affected account.

Once passwords have been updated to new, unique, and strong passwords, an affected person should continue to monitor account activity and credit reports, to ensure that their information has not been misused. Suspicious activity should be reported directly to the bank or card provider where the account is maintained.

Victims of data breaches should also strongly consider taking action against the business that experienced, and may be responsible for, the breach. If you are a California resident, California law provides that where a business has failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information it holds, the victim of the data breach whose personal information is disclosed can seek compensation from the business. If you are a California resident who has been victimized by a data breach, you can contact our team of attorneys today to receive a free case evaluation. If you are entitled to compensation, our attorneys will bring a case on your behalf to seek the best possible compensation for your loss.

You can access a detailed list of reported data breaches using the websites of the California and Maine Attorneys General:

California: https://oag.ca.gov/ecrime/databreach/reports/sb24-567260

Maine: https://apps.web.maine.gov/online/aeviewer/ME/40/895b95c8-abc8-41f1-8c3f-b0415575de56.shtml

To receive the latest updates on this lawsuit and other firm news, follow Zimmerman Reed on Facebook, LinkedIn, Twitter.