MGM Resorts Knew of Data Breach Risks via IT Vendor, Alleges Class Action

MGM should have known it was at risk of cyberattacks after its information technology vendor, Okta, warned of a “a consistent pattern of social engineering attacks against IT service desk personnel, in which the caller’s strategy was to convince service desk personnel to reset all multifactor authentication factors enrolled by highly privileged users,” the complaint said. Okta’s Aug. 31 statement included a list of tactics hackers were using, plus a “detailed set of recommendations” for companies to implement “to prevent a ransomware hacking like the one that occurred,” it said. The type of attack Okta warned of “is the exact type of attack Defendant fell victim to,” the complaint said.

Plaintiff Laura Willis Albrigo, a San Diego resident, has stayed at the Mandalay Bay Resort and Casino in Las Vegas, and Anita Johnson of Castaic, California, has stayed at the Park MGM Las Vegas and Luxor Hotel & Casino, both owned and operated by MGM, said the complaint. As a condition of receiving its products or services, MGM required Albrigo and Johnson to entrust it with “highly sensitive personal information,” including name, address, date of birth, driver’s license or state identification numbers and Social Security number, the complaint said. The company retains the information “for at least many years and even after the consumer relationship has ended," it said.

MGM Resorts International’s privacy policy states that information it and individual MGM resorts collect “is stored on systems protected by industry standard security measures” that are “intended to protect these systems from unauthorized access,” the complaint said. The hotel chain “had a duty to adopt reasonable measures to protect” plaintiffs’ PII from “involuntary disclosure to third parties,” it said.

Plaintiffs have taken “reasonable steps” to maintain the confidentiality of their PII, and provided that information to MGM with the expectation and “mutual understanding” that it would keep their PII confidential, “maintain its system security, use the PII for business purposes only, and to only disclose the information to authorized and trusted personnel,” the complaint said.

At least two cybercriminal groups have taken credit for the attack against MGM, said the complaint. The Scatter Spider took credit for accessing and acquiring 6 TB of data from MGM on Sept. 11; the next day, a group known as Alphv claimed responsibility for the attack, tweeting that it infiltrated the MGM system by identifying an employee via LinkedIn and making a phone call to the tech support department. Alphv boasted that a company valued at $33.9 billion “was defeated by a 10 minute conversation,” the complaint said, citing a Forbes article.

MGM failed to comply with FTC guidelines for reasonable data security practices, and it did not follow industry standard practices for securing PII, the complaint said. As evidenced by the breach, MGM failed to follow some or all industry best practices such as “educating all employees, strong password requirements, multilayer security including firewalls, anti-virus and anti-malware software, encryption, multifactor authentication, backing up data, and limiting which employees can access sensitive data,” it said.

Plaintiffs suffered actual injury from having their PII compromised in the breach, including diminution of the value of their PII, violation of their privacy rights, the “likely theft of their PII," fraudulent activity resulting from the breach and “present and continuing injury arising from the increased risk of additional identity theft and fraud,” the complaint said. They also suffered associated emotional distress and anxiety about unauthorized parties viewing, selling or using their PII, it said.

Plaintiffs assert claims of negligence and negligence per se, breach of implied contract, restitution or unjust enrichment, and violation of California’s Customer Records and Unfair Competition acts, the complaint said. They seek awards of compensatory, statutory and punitive damages, plus attorneys’ fees and legal costs. They also seek an injunction requiring MGM to “adequately safeguard” plaintiffs’ and class members’ PII and an order requiring it to implement a comprehensive information security program. MGM didn't comment Friday.

In another lawsuit involving the MGM data breach, plaintiffs Saul and Shirley Lassoff, filed an emergency notice (docket 1:23-cv-20419) Thursday in U.S. District Court for New Jersey in Camden that they will bring an emergency motion to “preclude all other venues & duplicate litigation and transfer remaining cases,” including Albrigo, to the New Jersey district court against MGM Resorts International only. They will also issue a proposed first to file preclusion order and transfer remaining cases pursuant to 28 U.S.C. section 1404(A) as to MGM “only before this Court,” said the notice.

The Lassoffs’ notice listed nine “similar related secondary outstanding remaining cases,” including Albrigo, to New Jersey federal court. All are duplicative of the Lassoff claim in that they raise identical issues and seek identical relief, it said. The underlying principles of the first-filed rule “seek to avoid ‘vexation of subsequent litigation over the same subject matter’ and ‘the economic waste involved in duplicating litigation,’ and to promote 'prompt and efficient administration of justice,'” said the notice. The Lassoffs filed their complaint Sept. 18 (see 2309190037).