Posted on: September 25, 2023, 06:14h.
Last updated on: September 25, 2023, 06:40h.
Five new lawsuits seek retribution from MGM Resorts International and Caesars Entertainment for failing to protect sensitive customer data during this month’s unprecedented Las Vegas casino cyberattacks.
The lawsuits — filed late last week in Nevada District Court — allege that the two largest gaming companies on the Strip were negligent for, among other things, not providing adequate cybersecurity measures and failing to inform customers in a timely manner that their information was compromised.
Individual rewards club members on Thursday filed four lawsuits seeking class-action status. They are Tony Owens and Emily Kirwan (plaintiffs against MGM) and Paul Garcia and Alexis Giuffre (plaintiffs against Caesars). A fifth lawsuit was filed Friday, against Caesars alone, by plaintiffs Thomas and Laura McNicholas.
All five lawsuits allege negligence, breach of contract and unjust enrichment. They all seek monetary damages — actual, statutory and punitive damages, as well as restitution — in addition to jury trials.
The suits allege that MGM and Caesars knew, or should have known, the importance of safeguarding the sensitive information they required from their rewards club customers, and that their negligence violated Federal Trade Commission guidelines and industry standards.
Kirwan’s suit specifies that MGM “was aware that it was vulnerable to this type of attack because the IT vendor that it relied upon, Okta, had warned of ‘a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all multi-factor authentication factors enrolled by highly privileged users.”
The suits all point out that, as a result of their data being exposed, the victims will need to be vigilant and constantly monitor their financial accounts for the rest of their lives.
Hackers claimed they stole six terabytes of sensitive information from both companies, much of which their victims believe is already available on the dark web. Identity thieves can download the data and use it to obtain loans and driver’s licenses, and file fraudulent tax returns and unemployment claims.
MGM’s Sept. 10 cyberattack kept systems offline for nine days at its 10 casino resorts on the Strip. Caesars, which operates nine casino resorts, publicly detailed a similar social engineering cyberattack, sometime before Sept. 7, in an Securities and Exchange Commission filing on Sept. 14. The company reportedly paid a $15 million ransom to free its systems as soon as possible.
“We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result,” Caesars said in a statement.
MGM, which is believed not to have paid a ransom, has made no statement about the exposure of its customers’ data.
Last week, Casino.org asked a leading cybersecurity expert which casino giant, MGM or Caesars, appears to have managed their cyberattack better.