Hacker Tried to Rob Victim's Account After MGM Breach: Complaint

Plaintiff Paul Zari of Virginia entrusted MGM with his personally identifiable information (PII) as a member of the company’s MGM Rewards loyalty program, said the complaint, citing Social Security and driver’s license numbers as two such identifiers. The hospitality company's privacy policy states that information collected and maintained in electronic form on MGM’s systems are “protected by industry standard security measures” against “unauthorized access.”

Zari and class members entrusted their PII to MGM when participating in its loyalty program with the “reasonable expectation, and mutual understanding,” that it would comply with its obligations to keep that information confidential and secure from unauthorized access, said the complaint. That included “thoroughly vetting all third parties it hired to ensure that they employed adequate data security measures, procedures, protocols, and practices.”

As a result of the breach, Zari has suffered identity theft and fraudulent activity to his financial accounts, the complaint said. An unauthorized individual logged into his MGM accounts and changed passwords so that Zari was unable to access them, it said. The party attempted to withdraw $2,000 from his account; Zari had to "issue a stop payment and cancel his bank card,” he said.

Zari discovered the data breach only as a result of his accounts being hacked; he did not receive a separate notice from MGM regarding the breach, said the complaint. MGM posted a message on social media Sept. 11 informing consumers it experienced a cybersecurity issue affecting some of its systems. News reports linked the attack to the Scattered Sider hacking group, known for tricking employees of a target company into granting them access to their network. MGM said in an Oct. 5 SEC filing that the breach will have a negative impact on Q3 results, the complaint said.

Because of the data breach, Zari’s PII “is now in the hands of criminals,” the complaint said. He has “already suffered identity theft and fraud” as a result of the breach and remains “imminently at risk of crippling future identity theft and fraud,” it said. At the time of the complaint, Zari had spent eight hours making calls and closing accounts to deal with the fraud and identity theft that occurred as a result of the breach, said the complaint. As a direct result of the attack, he will likely have to continue buying a subscription for identity theft protection and credit monitoring, it said. MGM said it's offering credit monitoring and identity theft protection services to customers affected by the breach, said the complaint.

MGM is responsible for allowing the breach to occur because it “failed to implement and maintain reasonable safeguards, failed to comply with industry-standard data security practices, as well as federal and state laws and regulations governing data security, and failed to supervise, monitor, and oversee all third parties it hired” who had access to Zari’s and the class members’ PII, the complaint said. Its data security obligations were “particularly important” at a time of increased cyber- and ransomware attacks and data breaches in the gaming and hospitality industries and given the “the incredibly sensitive nature of PII that it retained in its servers,” it said.

Zari claims negligence and negligence per se, breach of implied contract and confidence, and unjust enrichment. He seeks injunctive and other equitable relief to protect the interests of him and the class; awards of compensatory, consequential and general damages, including nominal damages to be determined; an award of restitution or disgorgement; attorneys’ fees and legal costs; and prejudgment interest. MGM didn’t comment Thursday.