If you are in a hurry -> Lessons and Best Practices for CISOs

Introduction

MGM Resorts International – a global hospitality and casino giant – suffered two major data breaches (in 2019 and 2023) that exposed millions of guest records (MGM Resorts settles class action lawsuit over cyber attacks in 2019, 2023).

The fallout included dozens of lawsuits consolidated into a class action alleging MGM’s failure to protect customer data.

In early 2025, MGM agreed to a $45 million settlement to resolve these claims ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks).

This high-profile case offers valuable insights for Chief Information Security Officers (CISOs) about the legal risks of cybersecurity failures and how to avoid them.

Below, we analyze the key aspects of the MGM breach settlement – the parties involved, the claims of negligence and legal violations, specific security lapses cited, and the settlement terms – and distill best practices CISOs can adopt to prevent similar incidents and lawsuits.

Background: The Company and the Breaches

MGM Resorts International is a leading U.S. hospitality and entertainment company operating 21 resort hotels and casinos (primarily in Las Vegas and other cities) (Scam of the day – March 16, 2025 – MGM Data Breach Settlement | Scamicide).

Millions of guests stay at MGM properties annually, entrusting the company with a wealth of personal identifying information (PII).

• 2019 Data Breach (July 2019): Hackers gained unauthorized access to MGM’s network on July 7, 2019 and stole the personal data of more than 10.6 million guests ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests). The compromised PII included names, postal addresses, phone numbers, email addresses, dates of birth, and in many cases driver’s license, passport or military ID numbers ( MGM Resorts Data Breach Class Action Lawsuit | Berger Montague ) (MGM Resorts settles class action lawsuit over cyber attacks in 2019, 2023). MGM discovered the breach that summer and notified affected guests by September 5, 2019 ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests). In its notice, MGM assured customers there was “no evidence” their data had been misused ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests). However, just a few months later (February 2020), the stolen data appeared on a hacker forum, proving that criminals had obtained and disseminated the information ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests). MGM’s delay in public disclosure was allegedly an attempt to avoid bad press (coming on the heels of a 2017 Las Vegas tragedy) ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests).

• 2023 Cyberattack (September 2023): A second major incident struck in September 2023, when hackers breached MGM’s systems using social engineering. Posing as an IT administrator, attackers tricked an MGM help desk employee via a phone call (a vishing attack) and gained access to MGM’s Okta identity management account (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt) (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt). They escalated privileges within the network, stole sensitive data, and deployed ransomware that shut down MGM’s IT systems for 10 days, crippling casino and hotel operations (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt). Personal data of guests was again compromised – including names, contact details, birthdates, driver’s license and passport numbers, and, in some cases, Social Security numbers (MGM Resorts settles class action lawsuit over cyber attacks in 2019, 2023). MGM later reported the business downtime cost an estimated $100 million in lost revenue (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt).

  
  

All told, approximately 37 million individuals had their data exposed in the 2019 and 2023 breaches ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks). These incidents seriously damaged customer trust and drew intense scrutiny from regulators and the public.

Legal Fallout: Class Action and Parties Involved

In the wake of the breaches, affected customers filed multiple lawsuits. After the 2019 hack, at least eight class action complaints were filed against MGM (MGM Resorts settles class action lawsuit over cyber attacks in 2019, 2023), and 14 more followed the 2023 attack (MGM Resorts settles class action lawsuit over cyber attacks in 2019, 2023).

These cases were eventually consolidated in the U.S. District of Nevada as a single class action: Smallman v. MGM Resorts International, No. 2:20-cv-00376 ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests) (MGM Resorts settles class action lawsuit over cyber attacks in 2019, 2023).

The lead plaintiff, John Smallman, was an MGM guest who had stayed at MGM properties over the years and provided his personal data (including driver’s license and payment card information) to the company ($45M MGM settlement resolves data breach class actions). He and the other named plaintiffs brought the case on behalf of all guests whose information was compromised. The defendants included MGM Resorts International itself ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests).

Notably, the Federal Trade Commission also took interest in MGM’s 2023 breach. The FTC issued a civil investigative demand, suggesting MGM’s practices may have violated consumer protection laws. (MGM fought the FTC inquiry in court, and by March 2025 the FTC and MGM agreed to drop that separate legal dispute (FTC and MGM Resorts Give Up Legal Fight Over Cybersecurity) (FTC and MGM Resorts Give Up Legal Fight Over Cybersecurity).)

This regulatory attention underscores that beyond private lawsuits, companies can face government “prosecutors” or regulators after a cyber incident. However, the primary focus here is the class action brought by customers.

Claims and Allegations in the Lawsuit

The consolidated class action accused MGM of gross security failures and sought to hold the company accountable under several legal theories.

The key claim types included negligence and consumer protection violations, among others:

• Negligence: Plaintiffs alleged MGM had a duty to protect customers’ personal information and “failed to take basic precautions” to safeguard that data (Scam of the day – March 16, 2025 – MGM Data Breach Settlement | Scamicide). The complaint emphasizes that MGM knew the sensitivity of the PII it held and the foreseeable harm to guests if a breach occurred, yet did not implement reasonable cybersecurity measures (Smallman v. MGM Resorts International - 2:20-cv-00376) (Smallman v. MGM Resorts International - 2:20-cv-00376). For example, MGM purportedly lacked adequate employee cybersecurity training and didn’t maintain proper IT security protocols or network safeguards (Smallman v. MGM Resorts International - 2:20-cv-00376) (Smallman v. MGM Resorts International - 2:20-cv-00376). This carelessness, plaintiffs said, directly led to the breaches. MGM’s “own conduct created a foreseeable risk of harm” by failing to fix known security weaknesses and not adhering to industry security standards (e.g. data encryption, access controls) (Smallman v. MGM Resorts International - 2:20-cv-00376) (Smallman v. MGM Resorts International - 2:20-cv-00376). In short, MGM was accused of negligence in its cybersecurity, resulting in the theft of guest data.

• Negligence Per Se: The lawsuit also claimed MGM violated specific laws and regulations intended to protect consumer data, and that these violations constituted negligence per se. In particular, the plaintiffs pointed to Section 5 of the FTC Act, which prohibits unfair business practices. The FTC has stated that failing to use reasonable security measures to protect personal data is an “unfair” practice (Smallman v. MGM Resorts International - 2:20-cv-00376). According to the complaint, MGM’s poor security and failure to comply with industry standards meant it violated the FTC Act’s requirements for data protection (Smallman v. MGM Resorts International - 2:20-cv-00376) (Smallman v. MGM Resorts International - 2:20-cv-00376). The plaintiffs fell within the class the FTC Act aims to protect, and the type of harm suffered (identity theft risk, fraud losses) is the kind the law is designed to prevent (Smallman v. MGM Resorts International - 2:20-cv-00376). In addition, MGM was accused of violating Nevada statutes that mandate reasonable data security (Nev. Rev. Stat. §603A.210) and compliance with the PCI-DSS payment card security standards (Nev. Rev. Stat. §603A.215) (Smallman v. MGM Resorts International - 2:20-cv-00376) (Smallman v. MGM Resorts International - 2:20-cv-00376). These statutory breaches bolstered the negligence claims by effectively establishing that MGM breached its legal duties to safeguard data.

• Breach of Implied Contract: When customers provided their personal information to book rooms or join loyalty programs, the plaintiffs argue, an implicit contract was formed in which MGM agreed to protect that information. The privacy policies and representations by MGM gave an expectation that appropriate security was in place. (In fact, MGM’s privacy policy expressly claimed the company used “industry standard” cybersecurity measures ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests).) The lawsuit alleges MGM broke its promises by failing to keep customer data secure and confidential. Plaintiffs had paid for MGM’s services and entrusted data on the understanding that the company would prevent unauthorized access and promptly inform them of any breach (Smallman v. MGM Resorts International - 2:20-cv-00376) (Smallman v. MGM Resorts International - 2:20-cv-00376). By not doing so, MGM breached the implied contract. Notably, MGM waited nearly two months to notify guests of the 2019 intrusion and then downplayed its severity, assuring victims that there was no evidence of misuse ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests). This delay and minimization meant customers were deprived of the chance to take timely protective action ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests), contrary to what they were implicitly promised (transparency and security).

• Unjust Enrichment: The complaint further contended that MGM was unjustly enriched at the expense of its customers. Essentially, MGM benefited financially from guests’ business (and the personal data they provided), but cut costs on cybersecurity, thereby unfairly saving money. The plaintiffs argued it is inequitable for MGM to retain profits from customers while not investing in basic security measures or data protection commensurate with the volume of PII collected. In the wake of the breaches, customers bore the burden of fraud risks, credit monitoring expenses, and other costs – effectively subsidizing MGM’s inadequate security. The lawsuit sought restitution of the benefits MGM gained through this lapse, under an unjust enrichment theory.

• Breach of Confidence: Another claim was that MGM breached the duty of confidence owed to its patrons. Guests entrusted personal and sensitive information to MGM with the expectation that it would remain confidential. By allowing unauthorized third parties (hackers) to access and exfiltrate that information, MGM violated the confidence and privacy rights of its customers. This cause of action, recognized in some jurisdictions, frames the failure to maintain confidentiality as a separate wrong, akin to an invasion of privacy. Given that millions of records, potentially including IDs and even Social Security numbers, were exposed, the breach of confidence was alleged to be egregious.

• Consumer Fraud and Deceptive Trade Practices: Importantly, the plaintiffs sued under Nevada’s consumer protection laws (Nevada Deceptive Trade Practices/Consumer Fraud Act, NRS 598 and NRS 41.600). They asserted that MGM’s security failures and misrepresentations constituted unlawful and unfair business practices. For example, failing to maintain adequate data security while collecting customers’ PII was deemed an “unfair practice” (Smallman v. MGM Resorts International - 2:20-cv-00376). MGM was essentially selling hotel services that required customers to provide personal data, but not delivering on the promise to keep that data reasonably safe – an act the plaintiffs likened to advertising a product with false assurances (Smallman v. MGM Resorts International - 2:20-cv-00376). The complaint even cited a specific Nevada statute (NRS 598.0917(7)) forbidding companies from selling goods on terms that are less favorable than advertised (Smallman v. MGM Resorts International - 2:20-cv-00376). Here, the “terms” included implicit promises of data security which were not met. Moreover, by violating laws like the FTC Act and Nevada’s data security statutes, MGM also violated NRS 598.0923(3), which makes any violation of federal or state law in the course of business a deceptive trade practice (Smallman v. MGM Resorts International - 2:20-cv-00376) (Smallman v. MGM Resorts International - 2:20-cv-00376). In sum, the lawsuit painted MGM’s lax security and delayed breach disclosure as a form of consumer fraud, causing injury to customers and entitling them to relief under consumer protection statutes.

  
  

Together, these claims describe a comprehensive failure by MGM to fulfill its legal obligations to safeguard customer information. The plaintiffs argued that MGM’s cybersecurity was far below acceptable standards, that the company ignored known risks (even after a first breach), and that it misled customers about the safety of their data.

For instance, evidence emerged that MGM had been warned by its identity management provider (Okta) about targeted social engineering attacks before the 2023 incident, yet still fell victim to one (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt).

Such facts bolstered the allegation that MGM’s conduct was negligent and reckless. MGM initially tried to get the case dismissed – contending that the plaintiffs had no compensable damages since, at first, there was no evidence of widespread identity theft – but a federal judge denied that motion in 2022, allowing the bulk of the class action to move forward ($45M MGM settlement resolves data breach class actions) ($45M MGM settlement resolves data breach class actions).

Technical Lapses and Security Issues Highlighted

From a CISO perspective, the MGM breaches and lawsuit underscore several technical security failings that were called out as root causes:

• Susceptibility to Social Engineering: The 2023 breach demonstrated that human factors were a weak link. Attackers simply impersonated an employee over the phone to gain initial access (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt). The success of this vishing attack indicates MGM lacked strong verification procedures for sensitive requests and that employees were not adequately trained to spot social engineering. Once the hacker had a foothold (a legitimate credential), they were able to escalate privileges and move laterally through MGM’s network (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt) (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt). The lawsuit pointed to “inadequate employee training and education” on cybersecurity as a contributing factor (Smallman v. MGM Resorts International - 2:20-cv-00376) (Smallman v. MGM Resorts International - 2:20-cv-00376). In essence, MGM did not sufficiently prepare staff against phishing/vishing attempts, nor did it enforce robust identity verification (such as multi-factor authentication or callback procedures) to prevent an intruder from leveraging a single stolen credential.

• Identity and Access Management Failures: The attackers in 2023 breached MGM’s Okta Identity Management system, even setting up their own rogue identity provider within Okta to maintain access (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt) (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt). This suggests that MGM’s identity and access management (IAM) controls were not locked down. A well-configured IAM should have detected or prevented unauthorized additions of new identity providers or unusual account privilege escalations. Additionally, while MGM did use multi-factor authentication (MFA) via Okta, reports indicate the hackers exploited MFA fatigue – bombarding an employee with push notifications until one was approved, granting access ( Cyber Attack & Breach on the MGM Resort Explained. Details of the Class-Action. ). If true, this means MGM’s MFA implementation and monitoring were not resilient to known attack techniques. A more secure approach could include limits on MFA prompts or additional verification for repeated attempts.

• Lack of Network Segmentation and Intrusion Detection: Once inside, the attackers were able to access critical systems (including those handling high-value transactions and personal data) and deploy ransomware that affected a broad swath of MGM’s infrastructure ( Cyber Attack & Breach on the MGM Resort Explained. Details of the Class-Action. ) (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt). This breadth of impact implies that MGM’s internal network may not have been sufficiently segmented by trust levels. A single compromised account led to system-wide disruption, indicating the absence of robust internal firewalls or network segmentation that could contain an intruder’s movement. Moreover, while MGM eventually discovered the attack (prompting an emergency shutdown of Okta Sync servers) (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt), the fact that attackers operated inside the network long enough to scoop up data and launch ransomware suggests that real-time intrusion detection and response mechanisms were insufficient. An ideal setup would have alarms and automated responses trigger at signs of anomalous privilege escalation or large-scale data exfiltration. The lawsuit noted MGM failed to put proper procedures in place to prevent unauthorized dissemination of data and to timely detect the breach (Smallman v. MGM Resorts International - 2:20-cv-00376) (Smallman v. MGM Resorts International - 2:20-cv-00376).

• Inadequate Data Security Measures (Encryption, etc.): Plaintiffs alleged that MGM did not adhere to industry-standard data protection practices. For example, sensitive personal data in MGM’s databases may not have been encrypted at rest, or was left accessible in plain text to those who breached the system. The complaint explicitly states MGM breached its duty by “not complying with industry standards for the safekeeping” of PII (Smallman v. MGM Resorts International - 2:20-cv-00376). It also cited MGM’s failure to meet the PCI-DSS standards for protecting payment card data as a violation of law (Smallman v. MGM Resorts International - 2:20-cv-00376) (Smallman v. MGM Resorts International - 2:20-cv-00376). Taken together, this indicates that basic security controls – encryption of personal data, regular penetration testing, up-to-date patch management, and strict access controls – were not rigorously implemented. These lapses made the theft of data much easier once attackers were inside.

• Breach Response and Notification Issues: On the procedural side, MGM’s handling of the 2019 breach was criticized. The company took nearly two months to notify affected individuals, allegedly prioritizing damage control over transparency ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests) ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests). Even then, the notification downplayed the risk (“no evidence” of misuse) ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests) despite hackers having actually stolen the data. This delayed and guarded disclosure was highlighted in the lawsuit as a failure – both morally and legally – as many jurisdictions require prompt breach notification. Nevada law, for instance, mandates that data breach notices be provided in the “most expedient time possible” (consistent with other state laws). By “avoiding bringing the matter to public light” quickly, MGM arguably violated such statutes and prevented customers from taking timely protective measures ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests). From a CISO’s perspective, this underscores that incident response plans must include clear, lawful communication strategies. Mishandling breach disclosure not only erodes customer trust but also invites legal claims (in MGM’s case, claims that it engaged in deceptive practices by minimizing the breach).

  
  

In summary, MGM’s security posture had multiple points of failure: human (social engineering susceptibility), process (poor incident response and notification), and technology (insufficient access controls, monitoring, and data protection).

The hackers exploited these weaknesses with tactics that, while not exceedingly sophisticated (the initial breach was essentially a phone scam), were devastatingly effective given the gaps in MGM’s defenses. These technical and organizational shortcomings were central to the plaintiffs’ case that MGM had not exercised reasonable care in protecting customer information.

The Settlement: Key Terms and Outcomes

Facing the substantial evidence and the prospect of protracted litigation, MGM Resorts opted to settle the class action. In January 2025, U.S. District Judge Gloria M. Navarro granted preliminary approval to a $45 million settlement agreement ($45M MGM settlement resolves data breach class actions) ($45M MGM settlement resolves data breach class actions).

The settlement is designed to compensate affected individuals and impose some remedial measures, without MGM admitting wrongdoing.

Key aspects of the settlement include:

• Class Scope: The settlement class covers all individuals in the United States whose personal information was accessed in the July 2019 or September 2023 MGM data breaches ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks) ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks). This likely encompasses the roughly 37 million customer records compromised in those incidents. Both former and current guests (and even MGM Rewards loyalty members) who had data exposed are included.

• Monetary Payments to Affected Consumers: MGM will provide a fund of $45,000,000 to compensate class members. Individuals can claim two types of payments:

  • Reimbursement for Out-of-Pocket Losses: If a victim suffered actual identity theft or fraud or spent money to mitigate the breach (for example, fees for credit reports, credit monitoring services, or legal/accountant fees to recover from identity fraud), they can submit documentation and receive up to $15,000 each in reimbursement ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks) ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks). These “Documented Loss” payments ensure people aren’t left bearing financial harm caused by the breaches.

  • Flat Cash Payments (Tiered): Even if a class member did not incur direct losses, they are eligible for a fixed cash payment based on the types of personal data that were compromised. The settlement defines three tiers of data sensitivity:

    • Tier 1: Those whose Social Security number or military ID was exposed get approximately $75 ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks).

    • Tier 2: Those whose passport or driver’s license number was exposed (but not SSN) get about $50 ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks).

    • Tier 3: Those whose info was limited to name, address, and date of birth (and no ID numbers from Tier 1 or 2) receive roughly $20 ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks).

      
      

  These cash payouts compensate people for the increased risk and inconvenience suffered, even absent direct monetary loss. (The exact amounts are estimates; the final per-person amount may be adjusted pro rata depending on how many claims are filed ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks).)

• Identity Protection Services: All class members can opt for free credit monitoring and identity theft protection services for one year, provided by MGM as part of the settlement ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks). This is in addition to (and beyond) the 12 months of credit monitoring MGM originally offered after the breaches, which plaintiffs had deemed inadequate ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests). Extended monitoring helps detect any delayed misuse of stolen data.

• No Admission of Liability, but Security Improvements Likely: In class action settlements, the defendant often does not admit fault formally. However, such settlements frequently require the company to improve its security practices. While the specific non-monetary terms of MGM’s settlement are not fully detailed in public summaries, data breach settlements generally mandate the defendant to implement or maintain certain cybersecurity measures ( MGM Resorts Data Breach Class Action Lawsuit | Berger Montague ). MGM will presumably have to bolster its data protection – e.g. upgrading network security, training, and incident response – to prevent a recurrence. (Indeed, by late 2024, MGM had announced a commitment of $50 million to strengthen cybersecurity after these incidents ( Cyber Attack & Breach on the MGM Resort Explained. Details of the Class-Action. ).)

• Release of Claims: In exchange for the settlement benefits, class members who do not opt out will release MGM from all related legal claims. This means MGM gains closure on these class action allegations. Notably, the settlement covers both the 2019 and 2023 breaches, resolving all consolidated lawsuits in one global deal ($45M MGM settlement resolves data breach class actions). This helps MGM avoid multiple trials and further reputational damage.

• Timeline: Class members were notified of the settlement (via email or mail with a unique ID for claim filing) (Scam of the day – March 16, 2025 – MGM Data Breach Settlement | Scamicide) and have until June 3, 2025 to submit claims ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks). A final approval hearing is set for mid-June 2025 ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks). If the court grants final approval and any appeals are resolved, payouts and services will follow. The entire process highlights that more than five years passed between the initial breach (2019) and ultimate resolution – a long tail of consequences for MGM.

  
  

The $45 million settlement sum is one of the larger data breach settlements in recent years, reflecting the scale of the incident (tens of millions of consumers, with highly sensitive data in some cases).

For comparison, other hospitality breaches (like the 2018 Marriott/Starwood breach) led to settlements in a similar range. While $45 million will go toward consumer remediation, it’s worth noting this is only one dimension of MGM’s total costs.

The company also suffered substantial business interruption losses (the $100M from the 2023 shutdown) and undoubtedly invested in incident response, IT forensics, legal fees, PR/crisis management, and now security upgrades.

Factoring all that, the true cost of these breaches to MGM likely far exceeds the settlement amount. This case vividly illustrates how a single cybersecurity incident can mushroom into a multi-year, multi-million-dollar ordeal.

Lessons and Best Practices for CISOs

The MGM Resorts debacle serves as a cautionary tale for organizations and their security leaders.

CISOs can draw several critical lessons to strengthen their cybersecurity programs and reduce legal exposure:

1. Prioritize Defense Against Social Engineering: A major takeaway is that sophisticated firewalls and encryption mean little if an attacker can simply con an employee into opening the gates. Social engineering (phishing, vishing, etc.) remains one of the most potent threats, as MGM’s 2023 breach proved. Attackers impersonated authorized personnel and talked their way in (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt). To counter this, companies must invest in continuous security awareness training for all staff. Teach employees how to recognize and report phishing emails and suspicious calls. Regular drills (simulated phishing/vishing exercises) can keep everyone vigilant. As one security analysis noted, attackers are increasingly adept at impersonation, so it is “essential to educate staff on recognizing and responding to such threats.” (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt) A strong security culture – where employees are encouraged to verify identities and question unusual requests – is the best defense against human-targeted attacks. Additionally, implement strict verification protocols for password resets or account changes (e.g. requiring multiple forms of confirmation) to thwart impersonators.

2. Implement Robust Identity and Access Controls: Limit the damage a single compromised account can do. Use multi-factor authentication (MFA) universally, but also be aware of MFA fatigue tactics. Solutions like number-matching prompts or timeout limits can help mitigate push-notification overload attacks. Monitor authentication logs for rapid-fire MFA requests or logins from new locations. The MGM attackers were able to escalate privileges and even integrate a malicious identity provider into MGM’s Okta environment (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt) – an alarming scenario. To prevent this, enforce the principle of least privilege (users should have only the access necessary for their role, and no more). High-privilege accounts (admins, domain controllers, identity provider settings) should have extra safeguards: hardware security tokens, adaptive risk-based authentication, or manual approval for critical changes. Segregate duties so that no single helpdesk employee can, for example, reset a critical password without secondary approval. Had MGM employed more layered access controls, the intruders might have been stopped at the initial foothold rather than gaining free rein in the network.

3. Embrace Defense in Depth – Layered Security: MGM’s breaches highlight the need for a multi-layered security architecture. No single measure is foolproof, so every layer of defense should be strengthened. This includes perimeter defenses (firewalls, intrusion prevention systems) as well as internal network segmentation and monitoring. A post-mortem noted that many companies harden their exterior but neglect internal network controls – and stressed that internal defenses are a crucial part of a “defense in depth” strategy (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt). CISOs should ensure that even if an attacker breaches the outer wall, additional barriers (network segmentation, internal firewalls, strict VLAN separations between sensitive data stores and general user network) limit lateral movement. Deploy intrusion detection systems (IDS) or endpoint detection and response (EDR) agents within the network to catch suspicious behavior (like a regular user account trying to access a database of customer IDs). In MGM’s case, an IDS might have flagged the abnormal data exfiltration or the unusual Okta changes before ransomware detonated. Also, keep systems and software patched to eliminate known vulnerabilities that could be exploited – failing to patch would be another “basic precaution” a court would expect as part of reasonable security. Overall, layering preventive controls with detective controls and response capabilities is essential.

4. Develop a Thorough Incident Response Plan and Practice It: Despite best efforts, breaches can still happen – and as MGM learned, the response can make a huge difference in outcome. A well-prepared incident response (IR) plan can significantly minimize damage and legal exposure. MGM’s reactive move to shut down all Okta servers was described as hasty and perhaps overly broad (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt), suggesting their response playbook was being written on the fly. Don’t wait for a crisis to decide how to respond. Create a detailed IR plan that covers various scenarios (data breach, ransomware, insider threat, etc.) and defines roles, communication channels, and decision processes. Conduct tabletop exercises and drills regularly to walk through incident scenarios with your IT, security, legal, and executive teams (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt). These simulations will reveal gaps in your plan and improve coordination. When an incident occurs, a rehearsed team can respond in a more organized, measured way – containing threats while preserving evidence and maintaining business continuity as much as possible. Crucially, an IR plan must include a breach notification procedure compliant with legal requirements. Determine in advance how you will notify customers, regulators, and law enforcement, and do so truthfully and expediently. Prompt, transparent notification (as opposed to MGM’s delayed, minimized disclosure) not only keeps you within the law but can reduce lawsuits by maintaining goodwill and helping customers protect themselves quickly.

5. Ensure Legal and Regulatory Compliance (PCI-DSS, FTC Guidelines, Data Laws): One reason MGM faced a negligence per se claim is that it failed to meet established security standards. To avoid similar claims, make compliance a floor, not a ceiling. If your business handles credit card data, adherence to the PCI-DSS standard is mandatory – and, as shown in the MGM case, not doing so can be used against you in court (Smallman v. MGM Resorts International - 2:20-cv-00376) (Smallman v. MGM Resorts International - 2:20-cv-00376). Likewise, if you operate in states/countries with data security laws (which is virtually everywhere now), know your obligations (for instance, Nevada’s law requiring “reasonable security measures” for personal info (Smallman v. MGM Resorts International - 2:20-cv-00376)). Following recognized security frameworks (ISO 27001, NIST Cybersecurity Framework, CIS Critical Controls) can demonstrate that your organization exercises due care. Also, heed FTC guidance on data protection – the FTC regularly penalizes companies for poor security under its broad authority. In MGM’s case, the FTC opened an investigation on the premise that MGM’s practices may have been “unfair” to consumers (FTC and MGM Resorts Give Up Legal Fight Over Cybersecurity). To avoid such scrutiny, implement the security controls that regulators expect: encryption of sensitive data, strong authentication, routine security testing, vendor management, and so on. Maintain documentation of your compliance efforts; it could become evidence of your “reasonable security” if ever needed.

6. Don’t Over-Promise Security in Public Statements: There is an interesting nuance in the MGM lawsuit – plaintiffs pointed to MGM’s privacy policy claims (of using “industry standard” security) and its reassuring statements after the breach, arguing these were misleading ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests) ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests). CISOs should review what their company is publicly asserting about data security. Ensure your practices live up to your promises. If you advertise cutting-edge security or tell customers “we value your privacy and protect your data,” that creates an expectation. Failing to meet it not only hurts reputation but can lead to allegations of deceptive trade practices. It’s wise to avoid overly specific or grandiose security claims in customer-facing materials unless fully vetted. Work closely with legal and communications teams to strike a balance between assuring customers and not making guarantees that your security program can’t guarantee. Transparency is best – if a breach does occur, do not minimize or misrepresent it. Companies have faced harsher fallout for cover-ups (see: Uber’s 2016 breach concealment). In practice, being forthright and offering timely help to users can stave off class actions or regulatory punishments.

7. Limit Data Collection and Retention: Another preventative measure is data minimization. The more sensitive information you collect and store, the bigger a target you become and the greater the fallout if breached. Ask: do we truly need to collect or retain certain PII? In MGM’s case, data from millions of former guests (even dating back several years) was still on file and got stolen ( MGM Resorts Data Breach Class Action Lawsuit | Berger Montague ). If older records or unnecessary fields (like Social Security numbers for hotel guests, or excessive ID info) had been purged or tokenized, the impact would have been less. A security expert commenting on these breaches noted that individuals are “only as secure as the companies [they] do business with” and advised not providing SSNs or storing credit cards unless essential (Scam of the day – March 16, 2025 – MGM Data Breach Settlement | Scamicide). CISOs should enforce policies to delete personal data that is no longer required for business or legal purposes. Implement techniques like encryption and tokenization for data at rest, so that even if databases are accessed, the contents are not immediately usable. By reducing the trove of high-value data and protecting what you must keep, you not only reduce risk but also the scope of liability – fewer people impacted means fewer plaintiffs if a breach occurs.

8. Strengthen Third-Party Risk Management: Modern enterprises rely on many third-party providers (cloud services, SaaS platforms, contractors). The MGM attack vector was through Okta (an identity service provider) and possibly involved the compromise of an external account. This underscores the importance of managing supply chain and third-party risks. Vet the security of vendors who handle your sensitive data or critical operations. Include security requirements and audit rights in contracts. Monitor vendor announcements for security issues (e.g. if your IAM provider warns of social engineering campaigns, take it seriously and reinforce controls – a step MGM perhaps did not take sufficiently (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt)). Limit the access vendors have into your systems (principle of least privilege, again). A cybersecurity firm noted that even reputable vendors can be vectors, so one should conduct thorough third-party risk assessments and continuous monitoring of partners (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt). Essentially, hold your partners to high security standards and have an incident plan in case a vendor is compromised.

9. Invest in Cyber Insurance and Risk Transfer: Despite best efforts, breaches may still happen. One way to mitigate the financial blow and support incident response is through cyber insurance. MGM’s case illustrates massive direct losses and legal liabilities. Cyber insurance can cover things like forensic investigation costs, legal defense, public relations, notification expenses, credit monitoring for customers, regulatory fines, and settlement payouts. While insurance doesn’t prevent breaches, it provides a safety net. As a cybersecurity blog commented, “cyber insurance can help organizations recover financially from breaches, covering costs like incident response, legal fees, and customer compensation.” (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt) For CISOs, working with risk management to get appropriate coverage is part of a holistic resilience strategy. Keep in mind, insurers will often require you to demonstrate certain security controls (to qualify or to get better rates), which dovetails with the other best practices listed. Essentially, if you follow all the above steps, you become a better insurance candidate and can negotiate coverage that ensures a breach won’t be an existential event for the company.

10. Continual Improvement and Testing: Lastly, treat security as an ongoing process. The threat landscape evolves, and attackers learn from each other (just as we must learn from incidents like MGM’s). Continuously test your defenses – through regular penetration testing, red team exercises, and security audits. In fact, the MGM incident highlights the importance of proactive testing: had MGM conducted thorough pentests or red-team exercises focusing on social engineering and lateral movement, they might have identified the very weaknesses that were exploited. A year after the breach, security consultants emphasized the need for ongoing offensive testing and vigilance (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt) (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt). CISOs should cultivate a mindset of “assume breach” – meaning, assume that at some point controls will fail, and plan layers and responses accordingly. Gather lessons from not only your own incidents but others in your industry. As one expert noted, “by learning from the mistakes of others, we can strengthen our defenses” (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt). The MGM case is exactly such a learning opportunity for peers.

ConclusionThe MGM Resorts data breaches and the ensuing $45 million settlement send a clear message: cybersecurity failures can have enormous financial and legal consequences. For CISOs and business leaders, it’s a stark reminder that investing in strong security upfront is far cheaper than paying for breaches later. In MGM’s scenario, gaps in basic safeguards – from employee training to timely breach disclosure – opened the door to litigation by tens of millions of customers, not to mention regulatory scrutiny by the FTC. Reputational damage and lost customer confidence have likely cost MGM dearly as well.

By analyzing what went wrong at MGM, we’ve outlined concrete steps to avoid a similar fate. Ensuring robust, multi-layered security controls, fostering a security-aware culture, adhering to legal standards, and having a practiced incident response plan are all critical. Equally important is executive support: CISOs should advocate for the resources needed to address the lessons above (whether it be new security tools, training programs, or expert consultants to conduct audits). A breach at the scale of MGM’s can be an existential threat to a business – but it is largely preventable through due diligence and strategic planning.

For cybersecurity executives, the MGM case is an urgent call to re-evaluate your organization’s security maturity. Ask yourself: if we were breached tomorrow, could we demonstrate that we took reasonable precautions? Would our response instill confidence or invite backlash? By proactively shoring up defenses and learning from MGM’s missteps, CISOs can protect not only their data but also their enterprise’s brand and balance sheet. In the end, the best way to avoid lawsuits is to avoid the breach in the first place – and the best way to do that is by cultivating a resilient, ever-improving security program. The settlement may have closed the MGM case, but the work of preventing the next breach is never done.

References

• Kelsey McCroskey, “$45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks,” ClassAction.org, Jan. 30, 2025 (updated Mar. 7, 2025) ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks) ($45 Million MGM Settlement Resolves Data Breach Lawsuits Over 2019, 2023 Cyberattacks).

• Seth Humeniuk, “MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests [UPDATE],” ClassAction.org, Mar. 2, 2020 (updated Jan. 30, 2025) ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests) ([SETTLED] MGM Hit with Class Action Over Summer 2019 Data Breach Affecting 10.6 Million Guests).

• Abraham Jewett, “$45M MGM settlement resolves data breach class actions,” Top Class Actions, Feb. 4, 2025 ($45M MGM settlement resolves data breach class actions) ($45M MGM settlement resolves data breach class actions).

• Smallman v. MGM Resorts International, No. 2:20-cv-00376 (D. Nev. Feb. 21, 2020), Class Action Complaint (Smallman v. MGM Resorts International - 2:20-cv-00376) (Smallman v. MGM Resorts International - 2:20-cv-00376).

• Steven Weisman, “Scam of the day – March 16, 2025 – MGM Data Breach Settlement,” Scamicide (blog), Mar. 15, 2025 (Scam of the day – March 16, 2025 – MGM Data Breach Settlement | Scamicide) (Scam of the day – March 16, 2025 – MGM Data Breach Settlement | Scamicide).

• Jarah Wright & Joe Moeller, “MGM Resorts settles class action lawsuit over cyber attacks in 2019, 2023,” KTNV 13 Action News (Las Vegas), Feb. 8, 2025 (MGM Resorts settles class action lawsuit over cyber attacks in 2019, 2023) (MGM Resorts settles class action lawsuit over cyber attacks in 2019, 2023).

• Gisela Hinojosa, “Lessons Learned from the MGM Breach,” Cobalt.io (blog), Aug. 5, 2024 (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt) (MGM Breach: Lessons Learned for Cybersecurity Teams | Cobalt).

• Justin Byers, “MGM Resorts and FTC agree to dismiss cyberattack lawsuit,” SBC Americas, Mar. 3, 2025 (FTC and MGM Resorts Give Up Legal Fight Over Cybersecurity) (FTC and MGM Resorts Give Up Legal Fight Over Cybersecurity).

• Inszone Insurance, “Cyber Attack & Breach on the MGM Resort Explained. Details of the Class-Action,” InszoneInsurance.com (blog), Oct. 11, 2023 ( Cyber Attack & Breach on the MGM Resort Explained. Details of the Class-Action. ) ( Cyber Attack & Breach on the MGM Resort Explained. Details of the Class-Action. ).