Home Real-life Cyberattacks Cases

Real-life Cyberattacks Cases

Cyberattacks on MGM Resorts: Incidents and Class Action Lawsuit.

In September 2023, MGM Resorts, one of the world’s largest hotel and casino groups, was the target of a cyberattack that paralysed its operations for nearly a week. Iconic properties such as the Bellagio, the Cosmopolitan and Mandalay Bay, along with other resorts in the group across the United States, were severely affected: there were malfunctions in slot machines, ATMs, electronic payment systems, and online booking services.

Two years after the most recent incident, the case is back in the news due to the launch of a compensation programme as part of a class action lawsuit. The aim is to financially compensate customers harmed by the two cyberattacks — in 2019 and 2023 — who had their personal data exposed, holding MGM Resorts companies accountable in the area of cybersecurity.

The 2023 cyberattack is attributed to the hacker group Scattered Spider — associated with the ransomware group ALPHV (BlackCat). The intrusion was facilitated through vishing techniques (voice phishing), in which the attackers posed as IT support staff to obtain legitimate credentials. They then used MFA (Multi-Factor Authentication) fatigue tactics to bypass security systems and encrypted part of MGM’s digital infrastructure. This was not the first incident of its kind: in 2019, data from around 10.6 million customers was leaked on online forums.

Despite alleged improvements in cybersecurity implemented since then, the consequences of the 2023 attack extended into 2024 and 2025, with financial losses exceeding 100 million US dollars. In response, MGM Resorts committed to investing an additional 50 million dollars in digital security measures.

As a result, a legal settlement worth 45 million dollars was established to compensate those affected by the cyberattack. The planned compensations range from 20 to 75 dollars, depending on the type of personal data exposed. Anyone submitting a valid claim may also benefit from one year of identity theft protection services, including fraud insurance with coverage of up to 1 million dollars, and may also claim reimbursement for proven losses up to a limit of 15,000 dollars.

The list of affected establishments is extensive and includes, among others, the Bellagio, ARIA, MGM Grand and Mandalay Bay in Las Vegas, as well as locations in other US cities.

arrow icon Full story here.

What prevention measures can be taken to avoid these situations:

Since investing in security is never too much, to help protect your personal, financial, or professional data and avoid vishing attacks (voice phishing), we’ve put together five key tips:

Be cautious of unknown and unexpected calls

Never share passwords or codes over the phone

Always verify the identity of the caller

Block any suspicious number and report it

Enable two-factor authentication to strengthen the security of your digital service accounts

Cybersecurity newsletter

Do you want to receive our newsletter?

Subscribe here

Contact us.

Headquarters

Torre Fernão de Magalhães
Avenida D. João II, nº 43, 9º Piso, Parque das Nações
1990-084, Lisboa | Portugal
T: +351 21 33 03 740
E: info@integrity.pt

And we are present in 18 more countries across EMEA.
world map
 




Cookie Consent X

Devoteam Cyber Trust S.A. uses cookies for analytical and more personalized information presentation purposes, based on your browsing habits and profile. For more detailed information, see our Cookie Policy.