Class-action lawsuits have been lodged against MGM Resorts International and Caesars Entertainment in the wake of recent cyberattacks.

The prominent casino operators are facing allegations of ineffective cybersecurity measures, purportedly leaving their customers vulnerable to data breaches.

Filing a class-action lawsuit allows a large group of individuals with similar grievance against these cyber threats to consolidate their legal actions for a more cost-effective and efficient judicial process.

Individuals affected by inadequate data protection measures taken by the defendants can seek legal recourse through these lawsuits.

A total of five lawsuits have been registered against Caesars and MGM Resorts at the Nevada District Court, with another one filed in New Jersey.

These legal proceedings aim to secure monetary compensation for victims and future assurance against data security lapses.

Claims under consideration

The lawsuits contend that both MGM and Caesars failed to safeguard the personal identifiable information (PII) of their customers, particularly of their loyalty programme patrons, potentially exposed during the cyberattacks.

Furthermore, the lawsuits assert that the companies did not effectively disclose these breaches, leaving customers unaware of potential vulnerabilities in the future regarding the security of their personal information.

Many of the victims fear that their stolen data has already made its way onto the dark web, where personal identifiable information commands significant value, with prices ranging from $40 to $200 for stolen identity credentials.

The lawsuits aim to extract restitution, actual, statutory, and punitive damages, including any profits that the entities may have accrued from the misused data. All cases enlisted so far are requesting a jury trial.

Elsewhere, legal firms are taking proactive steps to assist potential victims. For example, Kansas City-based law firm Stueve Siegel Hanson is now offering free legal consultations to individuals who may have been impacted by the data breach.

Consequences of the cyberattacks

Caesars confirmed that it fell victim to a cyberattack on 14 September.

The company’s investigation revealed that the attacker had obtained a copy of the Caesars Rewards loyalty programme database, which contains sensitive information such as driver licence and Social Security numbers. 

A substantial ransom was reportedly paid by Caesars to restore its systems following the attack.

MGM Resorts, meanwhile, incurred significant disruption when it detected a security breach, prompting it to shut down some of its computer systems on 11 September.

This security measure affected several operations including booking and reservation systems, and notably, the functioning of gaming machines on casino floors.

Hacker groups ALPHV and Scattered Spider later claimed responsibility for the breaches.

The ALPHV ransomware group has publicised its involvement in the recent MGM hack and warned of further attacks if an agreement is not reached.

MGM Resorts experienced a major hack this week, disrupting its operations, including hotel room access, booking systems and digital payment options across its Las Vegas venues.

Initial reports pointed to an ALPHV sub-group called Scattered Spider as the culprits, after the same group was linked to an attack on MGM’s US casino rival Caesars Entertainment.

ALPHV is a widely recognised black-hat actor in the cybersecurity sphere, suspected of orchestrating cyberattacks on notable targets, including Reddit and Western Digital, among others.

“We have made multiple attempts to reach out to MGM Resorts International. As reported, MGM shut down computers inside their network as a response to us. We intend to set the record straight,” the organisation said in a lengthy statement that was shared online.

ALPHV claims it didn’t deploy ransomware on MGM’s systems initially but had infiltrated their Okta Agent servers to access passwords.

When detected, MGM shut down Okta Sync servers but failed to fully remove ALPHV from its network, leaving the group with admin privileges.

MGM has relied on Okta, an identity management solution, since 2013. Okta is a “secure identity cloud” offering a single sign-on security solution.

Timeline

ALPHV’s timeline is unclear, but it reports that MGM went offline on a Sunday (10 September), following network access issues on Saturday (9 September).

The group claimed the ransomware attacks occurred only on Monday (11 September), after MGM failed to respond to ALPHV.

The group provided a new password for accessing exfiltrated data, only recognisable to specific MGM executives.

ALPHV mentioned mixed responses from MGM during negotiations, involving a mysterious user in their chat who did not respond to their messages.

“We are unsure if this activity is automated but would likely assume it is a human checking it.”

Stolen data

Regarding the breached data, ALPHV is uncertain if it contains personally identifiable information.

If not, they plan to share it responsibly with Microsoft regional director and web security expert Troy Hunt.

Hunt is known for creating HaveIBeenPwned.com, a free resource that allows individuals to promptly check if their online accounts have been compromised or “pwned” in a data breach.

ALPHV also criticised MGM for a lack of customer concern, questioned reporting by the Financial Times, debunked rumours around the involvement of teenagers, and raised doubts about claims made by cyber security firms in the media.

The group emphasised that it had not “privately or publicly claimed responsibility for an attack before this point”.

ALPHV also criticised media outlets for erroneously reporting that they had taken credit for the attack before they actually did.

Finally, ALPHV stated it still has access to MGM’s network and threatened further attacks if a deal isn’t reached.

“We continue to wait for MGM to grow a pair and reach out as they have clearly demonstrated that they know where to contact us.”

The full statement can be read here.