Updated February 22, 2020 - 6:23 pm
A former MGM Resorts International guest is suing the company over a security breach that may have affected up to 10.6 million people.
The company confirmed earlier this week that its cloud server had been hacked over the summer, with certain information — including some guests’ drivers license and passport information — stolen.
MGM customer John Smallman alleges the company failed to protect his personally identifiable information or implement “adequate and reasonable” cybersecurity procedures and protocols. He believes he and other guests will have to spend a significant amount of time and money protecting themselves from fraud, according to a lawsuit filed Friday in U.S. District Court in Nevada.
MGM officials declined to comment for this story and earlier this week declined to confirm the actual number of affected guests because they say the data included many duplicates.
Risk to guests
An MGM spokesman previously said the majority of the information stolen was “phone book” data, information that can be found in a Google search. But the lawsuit said the stolen data included some guests’ license numbers, passport numbers, military identification numbers, phone numbers, emails and dates of birth.
After discovering the security breach, MGM contacted the affected guests and assured them that there was “no evidence” their information had been misused.
But business technology news website ZDNet reported that the stolen information was later posted to a popular internet hacking forum. That put the private data “in the hands of thieves,” according to the lawsuit, and made affected guests subject to identify theft or medical and financial fraud.
Also, the lawsuit said that guests’ information was exposed in July, but affected customers were not notified until September — “depriving them of the ability to promptly mitigate potential adverse consequences” from the data breach.
The lawsuit alleges MGM tried to avoid bringing the matter to public light to hinder any negative publicity, “hoping that the Breach and its inadequate cyber security practices would go unnoticed.”
’Not utilizing best practices’
Smallman, a California resident, argues in the lawsuit that he and other affected guests “will forever be at a heightened risk of identity theft and fraud.”
MGM is among many other hospitality companies that have been targeted by hackers, including Marriott, Hyatt and Trump hotels. A 2018 report from information security company Trustwave lists hospitality as one of the top three industries most vulnerable to payment card breaches.
“The hotel industry has been hit with these types of breaches before, and it’s amazing to me when a new one arrives,” John Yanchunis, a lawyer with Morgan & Morgan Complex Litigation Group, told the Review-Journal. The Florida firm filed the lawsuit.
The lawsuit alleges MGM failed to disclose that it did not have a robust computer system and cybersecurity practices, did not take standard and available steps to prevent the hacking, did not monitor and detect the data breach in a timely manner and did not notify Smallman and others of the breach promptly and accurately.
“I expect to discover that the company’s cybersecurity system was not up to par and not utilizing the best practices,” Yanchunis said.