MGM Resorts and Caesars Entertainment are facing class action lawsuits in the aftermath of significant cyber attacks that disrupted their operations and exposed customer data over the last few months.
MGM Resorts experienced a cyber attack on September 10, 2023, which affected its systems and led to a 10-day shutdown of its computer systems. The attack impacted hotel reservations, credit card processing, gaming machines, and other services.
MGM Resorts is now facing class action litigation in two separate lawsuits filed in the US District Court in Nevada, alleging negligence and unjust enrichment for failing to protect customer data.
The plaintiffs claim that MGM should have been aware of the risk of attack due to prior warnings by its IT vendor, Okta, and failed to take necessary steps to protect customer data.
Caesars Entertainment also suffered a cyber attack this summer, during which hackers stole customer data, including driver's license numbers and Social Security numbers. The company reportedly paid about half of the $30 million ransom demanded by the hackers to prevent the disclosure of stolen data.
It is now facing multiple class action lawsuits, alleging negligence for allowing sensitive personal data to be stolen in a social engineering attack.
MGM Resorts and Caesars Entertainment now face a combined nine federal lawsuits in the wake of the cyber attacks. The lawsuits allege that both companies failed to protect customer data during the attacks, resulting in the exposure of personal identifiable information of loyalty program customers.
Law firms Stranch, Jennings and Garvey PLLC, Kopelowitz Ostrow Ferguson Weiselberg Gilbert, O’Mara Law Firm, and Barnow and Associates are providing legal representation for the plaintiffs.
Who Was Responsible?
In the days following the attack on MGM Resorts, news began to filter out that the ALPHV/BlackCat ransomware group had claimed responsibility.
Reuters reported:
“Two sources familiar with the matter told Reuters the hacking group Scattered Spider was behind it. Identified by analysts last year, this group uses social engineering to lure users into giving up their login credentials or one-time-password (OTP) codes to bypass multi-factor authentication, the security firm Crowdstrike said in a blog post in January.
It is "one of the most prevalent and aggressive threat actors impacting organizations in the United States today," Charles Carmakal, chief technology officer at Alphabet Inc's (GOOGL.O) Mandiant Intelligence said in a post on LinkedIn on Wednesday, following reports about the MGM breach.“
Carmakal added that the group is a splinter outfit from ALPHV/BlackCat and thought to be comprised of young, inexperienced members, that are still a serious threat to major organisations across the United States.
Lisa Plaggemier, executive director of the National Cyber Security Alliance, spoke to Casino.org and criticised MGM’s network architecture.
“...I think there’s a lot of evidence suggesting that MGM’s network was not properly segmented. There should never be a situation where, for example, something bad happens in your payment card system and some of your slot machines don’t work. It’s like breaking into one store in the mall gets a criminal into every store in the mall.”
It has also come to light that MGM Resorts performed terribly in a readiness test by Boston-based BitSight, a cybersecurity ratings and analytics company, which gave it an “F”.