Consumer Electronics Daily was a Warren News publication.
Hacker Impersonated Employee

MGM Knew IT System Had 'Increased Risk' of Cyberattack: Class Action

Though MGM Resorts International was “well aware” that the personally identifiable information (PII) it collects is “highly sensitive and of significant value” to bad actors, it informed its customers Oct. 5 of a “large scale cyberattack” across its properties, said a Friday class action (docket 2:23-cv-01719) in U.S. District Court for Nevada in Las Vegas. During the data breach, which occurred Sept. 11, cybercriminals shut down MGM's ATMs and slot machines, its website and online booking systems, the complaint said.

According to MGM’s public statements to date, customers’ PII implicated in the breach include names, contact information, gender, date of birth, driver’s license number and, for some customers, Social Security numbers and passport details, the complaint said. As a result of MGM’s failure to implement and follow basic security procedures, plaintiff Charles Bezak’s, and class members’, PII is “in the hands of cybercriminals.” Bezak, a Nevada resident, received a notification email from MGM informing him his PII had been compromised in the data breach.

MGM knew that a breach of its computer systems, and exposure to the information stored on them, would result in “increased risk of identity theft and fraud” for those whose PII was compromised, said the complaint. The risks “are not theoretical,” said the complaint, citing recent high-profile data breaches at Equifax, Facebook, Yahoo, Marriott and Anthem. MGM has been breached twice by cybercriminals since 2019, and in summer 2019, a hacker accessed its cloud servers and stole 10 million records of hotel guests, the complaint said. MGM brought an end to the Sept. 11 data breach on or about Sept. 20, the complaint said.

Citing news reports, the complaint said ransomware gang Scattered Spider’s cyberattack began when a hacker impersonated an MGM employee using information found on LinkedIn. The criminal contacted MGM’s IT department requesting a password reset; the IT department complied, giving the hacker access to the employee’s account, enabling the criminal to gain control “over MGM’s entire system,” the complaint said. MGM confirmed cybercriminals were able to steal PII belonging to customers who transacted with MGM prior to 2019, including driver’s license, Social Security numbers and passport details, it said.

The hospitality industry is a prime target for “threat actors,” said the complaint, citing a Cornell University/Freedom Pay report saying 31% of hospitality organizations have reported a data breach, with 89% affected more than once in a year. Hospitality businesses are “targeted by cybercriminals because they must balance guest satisfaction and reputation against staying secure,” the complaint said.

The hospitality sector faces unique cybersecurity risks because it has high staff turnover and more difficulty keeping "on top of security training,” said the complaint. A hotel serves “hundreds of different customers on a daily basis,” which requires a network “secure and large enough to keep up with the sheer number of users, while at the same time making businesses hesitant to deploy any patches and configuration changes as it may have an impact on the day-to-day operations," the complaint said.

Plaintiff and class members have suffered emotional distress as a result of the breach, increased risk of identity theft and financial fraud, and the unauthorized exposure of their PII to strangers and cybercriminals, the complaint said.

Bezak asserts claims of negligence, breach of implied contract, unjust enrichment and violation of Nevada’s Consumer Fraud Act. He seeks compensatory and punitive damages, an order of restitution, declaratory and injunctive relief, disgorgement and restitution, pre- and post-judgment interest, and reasonable attorneys’ fees and costs.