It started with a ten-minute phone call. In September 2023, a hacking group known as Scattered Spider basically walked through the front door of one of the world's largest entertainment giants using nothing but a LinkedIn profile and a call to a help desk. They didn't need a complex "Ocean's Eleven" scheme. They just needed social engineering. This lapse led to a digital catastrophe that paralyzed the Las Vegas Strip, and now, the MGM data breach settlement is the only thing left to clean up the mess for millions of affected travelers.
If you stayed at an MGM property—think Bellagio, Aria, MGM Grand, or Mandalay Bay—anytime before the fall of 2023, your data was likely part of the haul. We’re talking names, dates of birth, driver’s license numbers, and for some, Social Security numbers. It’s scary stuff.
The fallout was surreal. Slot machines went dark. Digital room keys stopped working, leaving guests stranded in hallways. People were waiting in four-hour lines just to check in manually with pen and paper. It felt like a glitch in the Matrix, but for the 36 million people whose personal info was snatched, the headache didn't end when the servers came back online.
Why the MGM Data Breach Settlement is Taking So Long
Court cases are slow. Like, glacially slow. When the news first broke, everyone wanted an immediate check. But that’s not how class action lawsuits work, especially when you’re dealing with a company that lost roughly $100 million in EBITDAR (Earnings Before Interest, Taxes, Depreciation, Amortization, and Restructuring) due to the hit.
The legal battle has been a massive tug-of-war. On one side, you’ve got plaintiffs arguing that MGM’s cybersecurity was basically a screen door in a hurricane. On the other, MGM’s legal team has pointed out that they refused to pay the ransom—unlike Caesars Entertainment, which reportedly paid about $15 million to the same hackers to keep their breach quiet.
There's a lot of nuance here.
✨ Don't miss: Why Instagram Comments Keep Scrolling on Their Own and How to Kill the Glitch
Because MGM chose to fight the hackers rather than pay them, the disruption was worse, but arguably, they didn't reward the criminals. Does that make them less liable for the data theft? Probably not. The courts are currently weighing whether "reasonable care" was taken to protect the PII (Personally Identifiable Information) of millions of guests.
What was actually stolen?
Honestly, the list is frustratingly standard for these kinds of breaches.
- Full Names: The basics.
- Contact Info: Email addresses and phone numbers that are now likely on every spam list in existence.
- Government IDs: This is the big one. Driver’s licenses and Passport numbers.
- SSNs: Only for a "limited number" of customers, but if you’re in that group, you’re at high risk for identity theft.
The Reality of the Payouts
Let’s be real for a second. You probably aren't getting a $10,000 check. In these massive settlements, the money gets divided among so many people that the individual slice is often enough for a nice dinner, not a new car.
However, the MGM data breach settlement is expected to offer two tiers of compensation. First, there’s the "Ordinary Loss" category. If you spent money on credit monitoring or had to spend three hours on the phone with your bank, you can claim that time and expense. Then there’s "Extraordinary Loss." This is for the folks who actually had their identities stolen or saw fraudulent charges on their accounts directly linked to the MGM leak. Those payouts can reach into the thousands.
It’s about documentation. If you can’t prove you lost money, you’re looking at a small, flat-fee payment. If you have receipts, you're in a much better position.
How Scattered Spider pulled it off
It's kind of wild when you think about it. These hackers are teenagers and twenty-somethings, mostly from the US and UK. They didn't use a "brute force" attack on a firewall. They found an employee's name on LinkedIn, called the MGM tech support line, and pretended to be that employee who lost their password.
The help desk guy? He just reset it.
That one human error gave the hackers "Super Administrator" privileges. From there, they deployed ransomware and started vacuuming up data. It’s a stark reminder that the most expensive security software in the world is useless if a human being can be talked into opening the door.
Comparing MGM to the Caesars Breach
People often confuse these two because they happened almost simultaneously. Caesars paid the ransom. Their systems stayed up, and most customers didn't even realize anything had happened until the mandatory disclosure letters started hitting mailboxes.
👉 See also: Why the Pale Blue Dot Carl Sagan Requested Still Changes the Way We Think
MGM took the hit.
They shut down their systems to contain the spread. This was objectively the more "noble" move in terms of cybersecurity ethics—don't fund the hackers—but it made their customers' lives a living hell for a week. The MGM data breach settlement has to account for that chaos. Some lawsuits are specifically targeting the "loss of enjoyment" and "diminished value" of the vacations people paid thousands for, only to spend them standing in lines.
How to Protect Yourself While You Wait
Waiting for a court to approve a settlement can take years. In the meantime, your data is already out there on the dark web. It doesn't just disappear.
- Freeze your credit. This is the single most effective thing you can do. It’s free. It takes five minutes at each of the three bureaus (Equifax, Experian, TransUnion). It stops anyone from opening a new credit card in your name using that stolen SSN.
- Change your passwords, but specifically for your email. Your email is the "skeleton key" to your entire life. If a hacker has your email and your DOB from the MGM breach, they can trigger "Forgot Password" prompts on your bank accounts.
- Use a hardware security key. If you’re really worried, get a Yubikey. It’s a physical USB stick you have to plug into your computer to log in. Even if a hacker has your password, they can’t get in without that physical key.
The legal timeline
Right now, the litigation is consolidated in the District of Nevada. We are in the discovery phase. This is where lawyers dig through MGM’s internal emails to see if they knew their security was weak before the attack happened. If "smoking gun" emails are found, the settlement amount will skyrocket. If it looks like MGM did everything right and just got unlucky, the payout might be lower.
🔗 Read more: How to Reflash BIOS Without Bricking Your Motherboard
Expect a final "Notice of Settlement" to arrive via email or postcard sometime in late 2025 or early 2026. Do not ignore it. That little postcard is your ticket to the claim form.
Actionable Steps for Affected Guests
If you were a guest at an MGM property around September 2023, you need to be proactive. Don't just wait for the money to find you.
- Gather your receipts. Find your folio or your booking confirmation from that trip. If you had to buy extra meals because you couldn't use your "resort credit" during the outage, save those receipts.
- Log your time. Did you spend five hours dealing with identity theft? Write down the dates and what you did. Many settlements pay an hourly rate (usually around $25/hour) for "lost time."
- Check the official settlement website. Once the judge grants preliminary approval, a dedicated website (usually something like [YourName]DataSettlement.com) will go live. This is the only place you should enter your info to claim money.
- Watch for phishing. Ironically, hackers love to send fake "Data Breach Settlement" emails to trick you into giving them more information. A real settlement administrator will never ask for your password or your full SSN over email.
The MGM data breach settlement represents a massive shift in how we hold hospitality companies accountable. It’s no longer just about clean sheets and cold drinks; it’s about digital safety. MGM is currently spending hundreds of millions of dollars to beef up their "Zero Trust" architecture so this never happens again. For the rest of us, it’s a waiting game for a bit of financial justice.
Keep your documents organized and your credit frozen. The legal system is slow, but the check eventually arrives.