Canadians May Receive Up to $20,000 Each from $4 Million MGM Data Breach Settlement

**TL;DR** The Supreme Court of British Columbia has certified a class action that could pay Canadians up to $20,000 each from a $4 million settlement covering MGM Resorts’ 2019 data leak and 2023 ransomware attack. Final approval hinges on a May 25 hearing; opt‑out deadline is May 19.

Context In July 2019, attackers accessed an unsecured Amazon S3 bucket that stored MGM guest profiles, exposing names, addresses, passport numbers and other personal data. In September 2023, a ransomware group used social engineering to hijack an IT help‑desk account, then deployed BlackCat/ALPHV ransomware that encrypted systems and copied the same guest data plus driver’s licence, military ID and Social Security numbers. More than 37 million customers were affected across both incidents.

Key Facts The July 2019 breach resulted from a misconfigured S3 bucket that allowed unauthenticated read access, aligning with MITRE ATT&CK T1190 (Exploit Public‑Facing Application). The September 2023 intrusion began with credential harvesting via vishing (T1566.002) and abuse of valid accounts (T1078) before ransomware deployment (T1486). MGM denies liability, stating the settlement avoids litigation costs rather than admitting fault. Court filings show the proposed $4 million fund will first cover legal fees, then provide up to $1 million for credit‑monitoring and identity‑theft insurance, plus compensation of up to $20,000 per substantiated loss and smaller fixed amounts for unverified claims.

What It Means Eligible Canadians (excluding Quebec) whose information was exposed in either incident will be automatically included unless they opt out by May 19; payouts will be prorated if total claims exceed the fund. For defenders, the incidents highlight the need to secure cloud storage with least‑privilege IAM policies, enforce MFA on privileged accounts, and monitor for anomalous login attempts (detect via SIEM rules for T1078 and T1566). Regularly patch internet‑facing services, maintain offline backups, and test incident‑response playbooks for ransomware (T1486). Organizations should review CISA advisories on BlackCat tactics and consider adopting the MITRE ATT&CK framework to prioritize defenses. What to watch next: the May 25 approval hearing and any subsequent opt‑out decisions that could shift the final payout amounts.