MGM Resorts, a leading hotel and casino company, has agreed to pay $45 million to settle over a dozen class action lawsuits filed against it following two massive data breaches that compromised the personal information of millions of customers.

The settlement, which was agreed upon on January 21, is pending approval by a Las Vegas federal court, with a ruling expected on June 18. The lawsuits were filed in response to two separate cyberattacks on MGM's systems, one in 2019 and another in 2023, which resulted in the theft of sensitive customer data.

The 2019 breach saw hackers steal millions of customer names, home addresses, phone numbers, and other personal information from MGM's systems. The stolen data was later published on a known cybercrime forum, prompting MGM to confirm the breach in 2020. The 2023 ransomware attack, which caused weeks-long outages and disruptions across MGM's properties, including the Bellagio, Aria, and Cosmopolitan, also resulted in the theft of customer personal information, including some Social Security numbers and passport numbers.

According to lawyers for the class action members, the two data breaches affected more than 37 million MGM Resorts customers. Despite this, MGM has repeatedly declined to share the exact number of affected individuals. A spokesperson for the company, Brian Ahern, did not respond to a request for comment from TechCrunch.

The $45 million settlement fund will be divided among the affected customers, with each eligible to receive up to $75 depending on the types of information stolen in the attacks. However, about 30% of the fund, or $13.5 million, will go towards attorney fees.

The settlement is a significant development in the ongoing battle against cybercrime, particularly in the hospitality industry. The attacks on MGM Resorts highlight the importance of robust cybersecurity measures to protect customer data. The company's reported damages from the 2023 ransomware attack, which exceeded $100 million, serve as a stark reminder of the financial implications of such breaches.

The incident also raises questions about the transparency and accountability of companies in the face of data breaches. MGM's reluctance to disclose the exact number of affected individuals has been criticized, and the settlement may be seen as a victory for customers who have been pushing for greater transparency and compensation.

As the hospitality industry continues to grapple with the challenges of cybersecurity, the MGM Resorts settlement serves as a warning to companies to prioritize the protection of customer data and to be transparent in the event of a breach. The incident is a stark reminder of the importance of robust cybersecurity measures and the need for greater accountability in the face of data breaches.