By no means has Caesars Entertainment nor MGM Resorts International climbed out of the dark hole of recent ransomware attacks.
And it doesn’t seem like they will anytime soon.
Case in point: Cyberattacks that targeted four Atlantic City casinos in September could lead to lawsuits against Caesars Entertainment and MGM Resorts International due to breaches of customer private information.
Cyberattacks still making waves for Atlantic City casinos
Recall that Caesars was attacked by a hacker who obtained access to several of its computer systems, including the Caesars Rewards loyalty program database. Customer information including name, addresses, Social Security numbers and personal identification information may have been placed in peril.
A few days after Caesars revealed it had been attacked, MGM announced that many of its casino resorts had similarly been targeted. Allegedly, Caesars paid $15 million to the hackers in a ransomware situation.
The cyberattacks led to a data breach, as the hacker organization apparently made copies of customer databases. A group called Scattered Spider took responsibility for the attack. No charges or arrests have been made as of yet. Federal authorities are working the case.
Lawsuits filed against Caesars, MGM
Last month, separate lawsuits were filed in three states – Nevada, Illinois and New York – by plaintiffs claiming Caesars failed to protect consumer personal information.
A suit against MGM was also filed in Nevada. Similar litigation could be forthcoming in states where casinos were infiltrated by the hackers.
New Jersey had four casinos breached during the September attacks: Caesars Atlantic City, Harrah’s Atlantic City and Tropicana Atlantic City, owned by Caesars Entertainment; and Borgata Atlantic City, operated by MGM Resorts.
A civil lawsuit in New Jersey would require a plaintiff or plaintiffs to make a claim against either Caesars Entertainment or MGM Resorts. Such a case could be filed in the US District Court for the District of New Jersey. To win a lawsuit, the plaintiffs must prove there were damages that stemmed from negligence by the casino operators.
How lawsuits could fare in wake of cyberattacks
In the prior lawsuits filed elsewhere, the plaintiffs contended that they had suffered damages due to the loss of their personal identifiable information (PII).
Given that Caesars and MGM have both acknowledged they were hacked and information was accessed by a criminal operation in separate SEC filings, that could be cited as admission of responsibility for the loss of customer PII.
This month, MGM Resorts explained in a filing with the Securities and Exchange Commission that the data breach could cost the company as much as $100 million. The company reportedly refused to issue the hackers a ransomware payment and, subsequently, it took longer for MGM to get their systems back under their control.
The cyberattack impacted the ability of customers to use cash machines, utilize loyalty cards on the gaming floor, and make reservations. Some venues also saw temporary interruptions to their phone systems and websites.