MGM Resorts International has agreed to pay $45 million to settle a class-action lawsuit filed over two major data breaches that exposed the personal information of 37 million customers. The settlement, which has received preliminary approval from a federal court, will see victims of the breaches receive payments ranging from $20 to $15,000, depending on the type of information stolen and the documentation of further losses.

The lawsuit consolidated 22 class-action suits filed over two security incidents: a data breach in 2019 and a ransomware attack in 2023. According to court filings, hackers accessed MGM's systems and obtained identifiable customer data, including names, addresses, phone numbers, email addresses, dates of birth, and passport numbers. The 2023 ransomware attack, which shut down Las Vegas slot machines and ATMs, also saw the theft of driver's license numbers, military ID numbers, and Social Security numbers.

The $45 million settlement will be dispersed to victims through a tiered system, with those who had more sensitive information stolen receiving larger payments. Victims who can provide documentation of further losses, such as identity theft or financial fraud, can claim up to $15,000. The settlement is pending a final hearing on June 18th.

While the settlement brings closure to the class-action lawsuit, MGM Resorts is still under investigation by the Federal Trade Commission (FTC) over its handling of the 2023 ransomware attack. Despite the company's attempts to block the probe, the FTC is continuing its investigation into the incident.

The settlement highlights the growing concern over data breaches and cybersecurity in the hospitality industry. With millions of customers' personal information at risk, companies like MGM Resorts must take proactive steps to protect their systems and data from cyber threats. The incident serves as a reminder of the importance of robust security measures and incident response planning to mitigate the impact of data breaches.

The settlement also underscores the need for companies to be transparent and proactive in their response to data breaches. MGM Resorts' handling of the incident has been criticized, and the FTC's ongoing investigation is a testament to the regulator's scrutiny of companies' data privacy practices.

As the hospitality industry continues to grapple with the challenges of cybersecurity, the MGM Resorts settlement serves as a wake-up call for companies to prioritize data protection and incident response. With the increasing frequency and severity of data breaches, companies must take a proactive and transparent approach to protecting their customers' personal information.