John Smallman, formerly a patron of MGM Resorts International (MGM), is suing the gaming company after it was revealed that cyber thieves stole the data of 10.6 million guests last year.
Earlier this week, MGM verified the data breach involving 10,683,188 records of prior guests, including celebrities, convention goers and government officials. The operator of the Bellagio and Mirage, among other Las Vegas Strip properties, made affected guests aware of the incident last year, but it came to light publicly this week after the information was released on an online hacking forum.
In a complaint filed Friday in U.S. District Court in Nevada, attorneys for Smallman claim that MGM notified impacted guests on or about Sept. 5 2019 following a breach on or around July 7, 2019 and that the company kept it quiet to avoid negative publicity in the wake of the October 1, 2017, mass shooting at Mandalay Bay that resulted in 58 deaths and more than 800 injuries.
Unfortunately, the miscreants that took and/or acquired the sensitive PII had other plans, and on February19, 2020, internet technology publication ZDNet revealed that the personally identifiable information of more than 10.6 million MGM hotel guests had been posted on a hacking forum, available for misuse by a host of bad actors,” according to the suit.
ZDNet initially reported news of the data theft on Feb. 19. PII references “personally identifiable information.”
Smallman’s counsel notes the Californian stayed at the Luxor multiple times over the past 10 years using his drivers license, a credit or debit card and other PII while there. He also used payment cards at the Bellagio. Earlier in the week, Casino.org reached to MGM to verify what properties were affected by the hack, but did not hear back from the company.
The hackers stole full names, home addresses, phone numbers, emails, and dates of birth, but MGM said to ZDnet it believes payment information and passwords weren’t compromised in the cyber attack.
“Plaintiff suffered actual injury from having their PII stolen as a result of the Data Breach including, but not limited to: (a) paying monies to MGM for its goods and services which they would not have had if MGM disclosed that it lacked data security practices adequate to safeguard consumers’ PII from theft; (b) damages to and diminution in the value of their PII—a form of intangible property that the Plaintiff entrusted to MGM as a condition of receiving MGM services; (c) loss of their privacy; (d) imminent and impending injury arising from the increased risk of fraud and identity theft,” according to the complaint.
Smallman’s attorneys also argue that due to the MGM data infiltration, their client will be increasingly vulnerable to financial fraud and identity theft in the coming years.
Due to the nature of the personal information acquired by gaming companies and hotel chains, the travel and leisure industry is among the most vulnerable to cyber thievery. In the last decade, one of the largest data breaches involved 383 million records stolen from Marriott’s Starwood brand.
Hilton, Hyatt and Trump are among the other big-name hoteliers that have had run ins with cyber criminals.
Smallman’s attorneys note the MGM data breach may run afoul of Federal Trade Commission (FTC) guidelines. The FTC has previously brought action against companies for not sufficiently safeguarding customer data.
“At all relevant times, MGM knew, or reasonably should have known, of the importance of safeguarding PII and of the foreseeable consequences if its data security systems were breached, including, the significant costs that would be imposed on customers as a result of a breach,” according to the suit.