MGM and Caesars Face Lawsuits Over Cyberattacks
MGM Resorts International and Caesars Entertainment, two of the biggest U.S gambling operators, are facing legal challenges over their alleged failure to adequately protect customer data during recent cyberattacks.
Five class-action lawsuits have been filed against the gaming giants, claiming that both companies did not adequately safeguard the personal identifiable information of their loyalty program customers.
These data breaches were made public earlier this month, in an incident that made international headlines. While Caesars reportedly paid half of a $30 million ransom demand to avoid disruption, MGM Resorts chose not to negotiate.
This led to 10 days of fallout across MGM’s Nevada casino venues in Las Vegas, and others across the country. Hotel check-ins and electronic room keys, casino slots, rewards programs, and all kinds of payments across the company were taken offline or severely limited.
However, it seems both operators are now in the firing line for the behind-the-scenes loss of customer personal data.
The lawsuits were filed in the Nevada District Court, with four targeting MGM and Caesars respectively, and a fifth specifically against Caesars.
Plaintiffs Across the Country
The law firms involved in these lawsuits include Stranch, Jennings and Garvey PLLC, Kopelowitz Ostrow Ferguson Weiselberg Gilbert, O’Mara Law Firm, and Barnow and Associates.
Because of Las Vegas’ status as a legendary casino gambling destination, and MGM and Caesars being the two biggest operators in the city, plaintiffs in these lawsuits come from various states across the U.S.
For instance, in the lawsuits filed against Caesars, the plaintiffs are Alexis Giuffre from Kane County, Illinois, and Paul Garcia from Denver. In the MGM-targeted lawsuits, the plaintiffs are Emily Kirwan from Louisiana and Tonya Owens from Mississippi.
Both MGM and Caesars have yet to respond to requests for comment regarding the lawsuits.
Details of the Cyberattacks
Caesars Entertainment publicly detailed a cyberattack in a filing with the Securities and Exchange Commission on September 14.
The company revealed that an investigation on September 7 determined that an attacker had acquired a copy of the Caesars Rewards loyalty program database. This database contained sensitive information, including driver’s license and Social Security numbers.
The fact that it took a week, and a second cyberattack against MGM, before Caesars notified regulators, customers, and potential victims that it had been hacked is no doubt part of the concerns of the lawsuit.
On the other hand, MGM Resorts, which operates several high-profile properties on the Las Vegas Strip, including the Bellagio and Mandalay Bay, experienced a cyberattack on September 10.
This attack disrupted the company’s systems for nine days, affecting various operations, from reservations to digital room keys and payments. MGM has since reported that its computer systems are now operating normally.
The hacker groups ALPHV and Scattered Spider have claimed responsibility for the MGM and Caesars attacks, respectively.
While Caesars reportedly paid a multimillion-dollar ransom to mitigate the damage, it seems that MGM did not.
The hackers said they have stolen as much as six terabytes of data, containing millions of customers’ personal information. Much of this information, the plaintiffs say, has now been posted on the dark web.
Caesars says it has tried to make sure customers’ data was not shared in this way. But a company statement didn’t sound too certain.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” the operator said in a statement.
MGM has yet to comment on the data breach aspect of the hack specifically, after struggling to get its systems up and running again.
Its not just Las Vegas casinos that have been the victim of hacks in 2023. Offshore casinos and sportsbooks have also felt the heat. Early in September, Stake.com lost $40 million in cryptocurrency to a hack by North Korean government-linked groups, and back in July cryptocurrency casinos payment provider Alphapho saw more than $30 million stolen.
This isn’t the first time MGM Resorts has faced cybersecurity issues. In 2019, the company was targeted by hackers who stole the personal data of moe than 10.6 million guests. This information was subsequently posted online in 2020.