MGM, Caesars Face Handful of Lawsuits Over Cyberattacks

    Caesars Palace
    Article by : Erik Gibbs Oct 4, 2023

    Two major casino-resort operators on the Las Vegas Strip are now facing nine federal lawsuits in the aftermath of cyberattacks that exposed the personal information of thousands of customers and disrupted one of the companies’ operations.

    A lawsuit filed in the US District Court in Nevada on Friday alleges that Caesars Entertainment was negligent in protecting its customers’ personally identifiable information during a recent cyberattack.

    According to the lawsuit, the plaintiff, David Lackey, a Virginia resident and a Caesars Rewards member for over 20 years, visited a Caesars property in Las Vegas in the past year.

    These lawsuits were filed in the Nevada District Court and claim that both companies failed to adequately safeguard the personally identifiable information of their loyalty program customers from cyberattacks in September.

    On September 21, Las Vegas-based law firms Stranct, Jennings, Garvey PLLC, and Florida-based Kopelowitz Ostrow Ferguson Weiselberg Gilbert initiated four lawsuits – two against Caesars and two against MGM.

    Additionally, a fifth lawsuit was filed against Caesars on September 22 by the Reno-based O’Mara Law Firm and Chicago-based Barnow and Associates. These lawsuits represent plaintiffs from various states across the nation.

    The lawsuits argue that the companies were aware of or should have recognized the importance of protecting their personal information and failed to adhere to Federal Trade Commission guidelines and industry standards.

    Victims suspect their compromised data may have been sold on the dark web, highlighting the high value of personally identifiable information among cyber criminals.

    All five lawsuits seek monetary damages for the affected victims, including actual, statutory, and punitive damages and restitution. The lawsuits allege negligence, breach of contract, and unjust enrichment, and all request a jury trial.

    The demands also include seeking any profits the companies may have obtained through the compromised data and assurances that such breaches will be prevented.

    Caesars publicly disclosed a social engineering cyberattack in a Securities and Exchange Commission filing on September 14.

    The company revealed that an attacker acquired a copy of the Caesars Rewards loyalty program database, which included driver’s license and Social Security numbers, during the September 7 incident.

    MGM’s data breach began on September 10, with hackers reportedly using social engineering tactics to gain access to the company’s systems and download the susceptible personal information of thousands of MGM customers.

    These attacks would later shut down some casino and hotel computer systems across the US. The breach and subsequent security measures by the company affected several computer networks systemwide, including reservations, digital keys, ATMs and more.

    Most customer-facing operations have since returned to normal, except a few, like the MGM Rewards loyalty app.