Current Cases

In re MGM Resorts International Data Breach Litigation

Status Current Case

Practice area Consumer Protection

Court U.S. District Court, District of Nevada

Case number 2:20-cv-00376


On November 3, 2022, Judge Gloria M. Navarro of the United States District Court for the District of Nevada denied the bulk of MGM Resorts’ motion to dismiss in this consolidated data breach class action against MGM Resorts for failing to implement reasonable data security practices, thereby allowing the personal information of between 10.6 million and 142 million MGM hotel guests and customers to be stolen on or about July 7, 2019 in a massive data breach.

Plaintiffs’ data breach lawsuit charges MGM with negligence, breach of contract, and unjust enrichment, as well as violations of state consumer protection laws. The class action seeks to certify a nationwide class of all individuals whose personal information was compromised; to recover damages, costs and expenses; and to secure a mandatory injunction directing MGM to implement improved security measures.

On February 1, 2021, Cohen Milstein’s Douglas J. McNamara was court-appointed Co-Lead Interim Class Counsel.

Case Background

Originally filed on March 13, 2020, Cohen Milstein’s clients and other plaintiffs allege that MGM Resorts International, a global hospitality, entertainment, and resort company, which operates properties across the U.S. including the Bellagio, Mandalay Bay and MGM Grand, failed to implement reasonable data security practices to protect MGM customer personally identifiable information (PII), including addresses, driver’s license numbers, passport numbers, phone numbers, email addresses, and dates of birth, and other information.

On or about July 7, 2019, an unauthorized individual gained access to MGM’s computer network and proceeded to exfiltrate the PII of MGM’s customers. In February 2020, it was reported that PII of 10.6 million guests was stolen. In July 2020, ZDNet reported that the PII of more than 142 million guests was stolen. On more than two separate occasions, the stolen PII has been posted for sale on online forums.

MGM’s Privacy Policy informed customers that MGM would protect their data. Moreover, the hotel industry is a particularly desirable target for hackers given the types of PII that hotels acquire from guests. Despite those facts, Plaintiffs claim, MGM failed to implement reasonable security practices. As a result, Plaintiffs claim, they and similarly situated individuals are at imminent, immediate, and continuing risk of harm from identity theft and fraud.