Bob Leal

LAS VEGAS (CN) — Friday was MGM Resort International's turn to face a class action stemming from a massive data breach that exposed its customers' personal information and hobbled operations last week, following another, similar class action targeting fellow Vegas Strip heavyweight Caesars Entertainment for a similar cyberattack.

On Sept. 7, cyberattackers “gained access to defendant’s network by impersonating an IT admin and gaining access credentials. The hackers then locked down defendant’s network preventing resort guests from using their electronic room cards, Wi-Fi, ATM kiosks, electronic gaming devices, and other resort services,” Emily Kirwan, who brings the suit on behalf of herself and other members of MGM's loyalty program affected by the cyberattack, said in the suit.

Kirwan — represented by attorney Nathan Ring of Stranch, Jennings & Garvey — claims MGM failed to safeguard and maintain adequate measures to prevent the unauthorized disclosure of customers’ data.

According to Kirwan, full names, dates of birth, addresses, email addresses, phone numbers, Social Security numbers and/or driver’s license numbers were exposed, as a result of MGM’s negligence and failure to follow “adequate and reasonable” procedures and policies regarding the encryption of data." Kirwan also said in the suit filed Friday in federal court in Nevada the conduct amounts at least to negligence and violates federal and state statutes.

Two cybercriminal organizations have taken credit for the attack. One of the hacking groups, known as “The Scatter Spider” claims it stole “six terabytes” of data from the multi-billion-dollar hotel and casino operator, Kirwan said in the suit.

The second group, ALPHV, referred to in the suit as a ransomware criminal organization, claimed to have downloaded “personally identifiable information.”

Customers have suffered a number of injuries “as a result of defendant’s conduct,” including invasion of privacy, lost time associated with attempting to mitigate the consequences of the data breach, and the continued and increased risk to their personal information, Kirwan says.

Kirwan claims the customers’ personal information will be subject to further unauthorized disclosures because MGM “fails to undertake appropriate and adequate measures.”

MGM collects customers’ personal information through its MGM Rewards Program. The customers received “promises and representations” that their personal information would be kept safe and confidential.”

“On September 11, 2023, MGM posted a message informing consumers that MGM experienced a cybersecurity issue affecting some of its systems. According to one cybercriminal group that has taken credit for the attack, the cybercriminals gained access to defendant’s systems by impersonating an employee to gain access credentials, a relatively simple social engineering attack. Once the threat actors gained access to the network, the cybercriminals deployed ransomware designed to lock down defendant’s network as leverage to force defendant to pay a ransom,” Kirwin writes in the suit.

Kirwan claims that MGM “was aware that it was vulnerable to this type of attack because the IT vendor that it relied upon, Okta, had warned of 'a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all multi-factor authentication factors enrolled by highly privileged users.'”

After the cyberattack, long lines flowed for more than a week through most of lobbies at MGM properties because the reservation systems were compromised, forcing employees to ditch computers and do much of the work by hand.

MGM Resorts International — which owns properties across the nation in Nevada, Massachusetts, Michigan, Mississippi, Michigan, Ohio and New Jersey — reported that normal operations have now been reinstated after a 10-day computer shutdown, according to a post by the company on X, formerly known as Twitter. The company's Las Vegas properties include some of the Strip's most well-known properties — including the largest hotel-casino on the Strip, the 5,000-room MGM Grand, along with the Bellagio, Vdara, Cosmopolitan and Mandalay Bay.

Ring and MGM could not be reached for comment by press time.