Canadian MGM Data Breach Victims May Receive Up To $20,000 From $4 Million Settlement

**TL;DR** A proposed $4 million settlement for Canadians affected by MGM Resorts International's 2019 and 2023 data incidents awaits court approval, potentially offering claimants up to $20,000 for substantiated losses.

**Context** MGM Resorts International faced two significant data incidents impacting customer data. The first occurred in July 2019, compromising names, addresses, and passport numbers. A second incident, identified as a ransomware attack, struck in September 2023, exposing similar data along with driver's license numbers, military identification numbers, and Social Security numbers. These breaches collectively affected over 37 million customers, according to U.S. class action filings.

**Key Facts** A proposed $4 million settlement now addresses these incidents for Canadian residents. This settlement, pending court approval, aims to compensate eligible individuals whose information was exposed. MGM Resorts International denies all allegations and liability in connection with these incidents. The company asserts no court has found it liable, stating the settlement agreement serves to avoid the expense and risks of continued litigation.

Approved claimants can receive reimbursement for one year of future credit monitoring and up to $1 million in fraud/identity theft insurance. Compensation for substantiated losses extends up to $20,000 per approved claim. Individuals experiencing unsubstantiated losses may claim up to $150 for involvement in one incident or up to $300 for both, with maximums adjusting based on total claims. The Supreme Court of British Columbia has certified a class action for Canadians outside Quebec who were affected by the 2019 incident.

**What It Means** For individuals, this settlement provides a path to financial recovery and protective services following data exposure. It underscores the critical need for vigilance in monitoring financial accounts and credit reports for suspicious activity. Individuals eligible for this class action are automatically included unless they opt out by May 19, ahead of the May 25 settlement approval hearing.

For organizations, these incidents highlight the significant financial and reputational costs of inadequate cybersecurity defenses. A $4 million settlement, even if disputed on liability, represents a tangible expense stemming from data breaches. This reinforces the imperative for robust security postures, including multi-factor authentication, regular system patching, and comprehensive incident response plans. Proactive measures against common attack vectors, such as phishing and ransomware, can mitigate the risk of such costly security failures.

**What to Watch Next** The outcome of the May 25 court hearing will determine the finalization of this settlement and the timeline for claims processing.