What Happened
In July 2019, specifically on or about July 7, hackers accessed MGM Resorts International‘s computer network due to an improperly configured server, stealing personally identifiable information (PII) from 10.6 million to over 142 million guests (with some reports citing up to 200 million worldwide who stayed at MGM properties through December 2017). Exposed data primarily included names, addresses, phone numbers, email addresses, and dates of birth, with more sensitive details such as driver’s license numbers, passport numbers, Social Security numbers, and military ID numbers compromised for certain individuals; the stolen data was posted on hacking forums and offered for sale on the dark web. MGM notified some affected customers in August 2019 but allegedly underreported the scope and failed to implement adequate security, leading to class-action lawsuits consolidated in 2020 that culminated in a $45 million settlement in January 2025 covering both the 2019 breach and a separate 2023 ransomware attack.
