The MGM Resorts data breach settlement represents one of the largest hospitality industry cybersecurity resolutions in recent history, with a $45 million fund compensating approximately 37 million affected customers. Two separate incidents—in July 2019 and September 2023—exposed sensitive personal information ranging from names and addresses to Social Security numbers and passport details. For claims administrators managing data breach settlements, this case demonstrates both the scale of modern breach litigation and the complexity of distributing funds to millions of claimants efficiently.

Key Takeaways

• The MGM settlement totals $45 million with a three-tier structure offering estimated flat payments—about $75 for SSN/military ID exposure, $50 for passport/driver’s license, and $20 for basic information—subject to pro rata adjustment depending on total valid claims
• Approximately 37 million customers were affected across two separate breach incidents in 2019 and 2023
• Claimants can receive up to $15,000 in documented loss reimbursement for fraud, identity theft costs, and professional fees
• The 2023 attack cost MGM an estimated $100 million in operational losses and disrupted operations for several days across affected MGM properties, particularly in Las Vegas
• Payments for approved cash claims were sent out on December 12, 2025, via check or digital disbursements such as PayPal, Venmo, direct deposit (ACH), or an e-Mastercard
• The hospitality industry remains a prime target for cybercriminals, with a high percentage of organizations reporting security incidents annually, signaling ongoing settlement opportunities
• Settlement class members who submitted a timely, valid claim are eligible for one year of financial account monitoring with $1 million in fraud insurance coverage

Understanding the MGM Data Breach: What Happened?

The MGM Resorts cyberattack stands as a cautionary tale of how human error can bypass sophisticated security systems. The 2023 breach was executed through social engineering tactics by the Scattered Spider hacking group, who impersonated an MGM employee during a phone call to the IT help desk. Within 10 minutes, attackers obtained login credentials and gained administrator privileges to MGM's Okta and Azure environments.

The attack's impact was immediate and devastating:

• 10-day operational shutdown affecting hotel check-ins, digital room keys, slot machines, and payment processing
• Systems disrupted across 30 MGM properties nationwide
• Estimated $100 million in operational losses according to MGM SEC filings
• Ransomware deployed across 100+ ESXi hypervisors

The 2019 breach, while less dramatic in execution, exposed data from MGM's cloud storage that later appeared on hacking forums. Together, these incidents compromised personal information including names, contact information, dates of birth, driver's license numbers, passport numbers, and Social Security numbers for military personnel and certain guests.

Post-breach analysis identified critical security failures including inadequate multi-factor authentication, lack of network segmentation, insufficient employee security awareness training, and weak detection capabilities. MGM subsequently announced a $40-50 million investment in cybersecurity improvements.

Who is Eligible for the MGM Data Breach Settlement?

Eligibility for the MGM settlement extends to individuals whose personal information was compromised in either the 2019 or 2023 data breach incidents. The settlement class includes anyone who received a notice from MGM about the data breach or whose information was confirmed as exposed during either incident.

Affected individuals fall into distinct categories based on data exposure:

• Tier 1: Social Security numbers or military identification numbers exposed
• Tier 2: Passport numbers or driver's license numbers compromised
• Tier 3: Basic personal information (name, address, date of birth, email, phone number) affected

The settlement consolidated two class actions filed in the U.S. District Court for the District of Nevada: In re MGM Resorts International Data Breach Litigation (Case No. 2:20-cv-00376-GMN-NJK) covering the 2019 breach, and Tanya Owens, et al. v. MGM Resorts International (Case No. 2:23-cv-01480-FRB) addressing the 2023 incident.

Claimants did not need to provide extensive documentation for basic tier payments—the settlement administrator verified exposure through MGM's breach records using unique IDs and PINs sent to affected individuals.

Key Provisions and Benefits of the MGM Settlement

The settlement structure provides multiple compensation avenues designed to address varying levels of harm. Cash payments operate through three tiers based on the sensitivity of compromised data:

Tier Payment Structure:

• Tier 1 - Social Security or Military ID: $75
• Tier 2 - Passport or Driver's License: $50
• Tier 3 - Basic Personal Information: $20

Beyond flat-rate payments, the settlement provides up to $15,000 for documented losses including:

• Fraud losses and unauthorized charges
• Identity theft remediation costs
• Professional fees (attorneys, accountants, credit repair services)
• Credit monitoring expenses incurred prior to settlement
• Time spent addressing breach consequences (valued at $25/hour)

All class members also receive one year of monitoring featuring three-bureau credit monitoring, identity theft protection services, and $1 million in fraud insurance coverage. Identity restoration services remain available for seven years post-settlement.

Navigating the Claims Process: How to File Your MGM Settlement Claim

The claims process was designed to balance accessibility with fraud prevention—a critical consideration for any settlement administration platform. Claimants received notices containing unique identification numbers and PINs required to access the settlement portal at mgmdatasettlement.com.

Step-by-Step Filing Process:

1. Locate your notice: Identify your unique claimant ID and PIN from the mailed or emailed notification
2. Access the portal: Visit the official settlement website and enter credentials
3. Verify identity: Confirm personal information matches breach records
4. Select payment tier: System automatically assigns tier based on data exposure type
5. Submit documentation (if claiming losses): Upload receipts, statements, or records supporting documented loss claims
6. Choose payment method: Select preferred distribution channel
7. Confirm submission: Receive confirmation number for tracking

For documented loss claims exceeding the flat-rate tier payments, required documentation included credit card statements showing unauthorized charges, invoices from identity theft services, receipts from credit monitoring subscriptions, and telephone records demonstrating time spent resolving issues.

The settlement administrator, Kroll, processed claims through secure technology systems designed specifically for data breach settlements. A dedicated call center (888-899-8358) provided support for claimants experiencing difficulties with the process.

Important Deadlines for MGM Settlement Claimants

Missing critical deadlines in class action settlements can permanently forfeit compensation rights. The MGM settlement established clear milestones that claimants needed to observe:

Critical Settlement Timeline:

• February-April 2025: Notice distribution to class members
• June 3, 2025: Claims filing deadline
• June 18, 2025: Final approval hearing
• December 12, 2025: Payment distribution date
• December 16, 2025: Credit monitoring enrollment emails sent

Settlement fraud presents ongoing risks in high-profile cases like MGM. Scammers frequently target data breach victims with fraudulent settlement communications designed to harvest additional personal information or redirect payments.

Warning signs of settlement scams include:

• Requests for payment to receive settlement funds
• Communications from unofficial email domains
• Pressure to act immediately without verification
• Requests for information not included in original breach (banking passwords, additional SSNs)

Legitimate settlement administrators never request payment from claimants to process claims or distribute funds. All official communications reference the case name and court, and direct claimants to verified settlement websites.

Receiving Your Settlement Payment: Options and Security

The MGM settlement offered five payment methods, reflecting modern preferences for digital payment alternatives over traditional paper checks:

• Prepaid Mastercard: Physical card mailed to address on file
• PayPal: Direct transfer to verified PayPal account
• Venmo: Digital wallet deposit
• Paper check: Traditional mailed payment
• Direct deposit (ACH): Bank account transfer

Payments for approved claims will be distributed on December 12, 2025, with the method selected during the claims process. Claimants who choose digital options generally receive funds faster than those awaiting mailed checks or prepaid cards.

The multi-method approach addresses a persistent challenge in settlement administration: reaching unbanked populations who cannot receive ACH transfers. Prepaid cards and digital wallets provide accessible alternatives that improve redemption rates while maintaining payment security.

Why Timely and Compliant Payouts Matter for Data Breach Settlements

Data breach settlements face unique compliance challenges that traditional payment processing cannot adequately address. The MGM case involved approximately 37 million potential claimants across multiple states, each with distinct regulatory requirements for breach notification and victim compensation.

Effective settlement administration requires:

• KYC verification: Confirming claimant identities without creating additional fraud exposure
• OFAC screening: Ensuring payments don't reach sanctioned individuals or entities
• W-9 collection: Gathering tax documentation for payments exceeding reporting thresholds
• Fund segregation: Maintaining dedicated accounts preserving settlement fund integrity
• Audit trails: Documenting every transaction for court reporting and compliance review

The hospitality industry's vulnerability amplifies these concerns. Average hospitality breach costs have continued to rise, with some reports indicating an increase of over 6% year-over-year—signaling growing settlement volumes that demand scalable, compliant payment infrastructure.

Understanding legal payout compliance helps administrators avoid costly delays and regulatory penalties while ensuring claimants receive entitled compensation.

Streamlining Legal Payouts for Complex Settlements with Talli

Mass settlement distributions like MGM require infrastructure built specifically for high-volume, compliance-intensive payouts. Traditional payment methods create friction that reduces redemption rates and increases administrative burden—problems that compound when processing millions of claims.

Talli's AI-driven payment platform addresses these challenges through:

• Automated compliance: KYC, OFAC, and W-9 collection integrated into the payout workflow
• Multiple payment rails: Digital wallets, prepaid cards, ACH, and gift card options ensuring every claimant can receive funds
• Complete fund segregation: Dedicated accounts for every settlement preserving QSF ownership and simplifying reporting
• Fraud mitigation: Built-in verification and audit logs protecting against fraudulent claims
• No bank account required: Flexible options ensuring unbanked populations aren't excluded from compensation

For claims administrators managing data breach settlements, efficiency metrics directly impact both claimant satisfaction and operational costs. Automated processing and real-time fund distribution streamline what traditionally takes weeks.

The platform's scalability handles distributions whether the claimant pool numbers 1,000 or 100,000 recipients—critical capability as data breach class sizes continue growing. Banking services provided by Patriot Bank, N.A., Member FDIC, ensure regulatory compliance throughout the disbursement lifecycle.

Real-Time Tracking and Transparency in Settlement Disbursements

Visibility into payout status represents a fundamental requirement for modern settlement administration. Courts, counsel, and claimants all demand transparency into fund flows and completion rates—information that traditional systems struggle to provide.

Talli's real-time dashboard capabilities enable administrators to:

• Monitor delivery status: Track every payment from initiation through completion
• Measure redemption rates: Identify patterns in unredeemed funds requiring additional outreach
• Sync with CRM systems: Integrate payout data with existing case management platforms
• Generate compliance reports: Produce documentation for court filings and auditor reviews
• Trigger smart follow-ups: Automated reminders via email and SMS to improve completion rates

This level of transparency in distribution transforms administrator capabilities while improving claimant experience. Rather than fielding calls about payment status, teams can focus on exception handling and strategic improvements.

The MGM settlement's use of multiple payment methods—prepaid cards, digital wallets, ACH, and checks—reflects industry movement toward flexible distribution. Platforms offering these options while maintaining compliance controls position administrators to handle increasingly complex settlements efficiently.

Higher redemption rates benefit all stakeholders: claimants receive entitled compensation, administrators demonstrate successful execution, and courts see settlement objectives achieved.

Frequently Asked Questions

What kind of personal information was compromised in the MGM data breach?

The MGM breaches exposed varying levels of personal information depending on individual guest records. The 2019 incident primarily affected names, contact information, dates of birth, and some driver's license numbers from cloud-stored data. The 2023 attack compromised more sensitive data including Social Security numbers (primarily for military personnel and certain guests), passport numbers, driver's license details, and financial information. The settlement's tiered payment structure directly reflects these different exposure levels, with higher payments for more sensitive data categories.

How can I check if I am part of the MGM data breach settlement class?

Class membership was determined by MGM's breach records identifying whose information was compromised. Affected individuals received direct notice via mail or email containing unique claimant IDs and PINs. If you stayed at an MGM property, used MGM Rewards, or provided personal information to MGM Resorts International before September 2023 and did not receive notice, you can contact the settlement administrator at 888-899-8358 to verify your status. The official settlement website also provided a lookup function using personal identifying information.

What happens to unclaimed settlement funds from the MGM case?

Settlement agreements typically specify disposition of unclaimed funds, which may include cy pres distributions to charitable organizations related to the case's subject matter (such as cybersecurity education nonprofits or identity theft prevention groups), redistribution to claiming class members on a pro-rata basis, or escheatment to state unclaimed property funds. The specific treatment varies by settlement terms and court approval. Claimants who miss deadlines or fail to cash payments within specified timeframes forfeit their individual claims, making timely action essential.

Can I opt out of the settlement and pursue individual litigation against MGM?

Class action settlements typically include an exclusion deadline allowing individuals to opt out and preserve individual legal claims. For the MGM settlement, the exclusion deadline preceded the June 18, 2025 final approval hearing. Those who opted out could pursue independent lawsuits but forfeited rights to settlement benefits. Most claimants find settlement participation more practical given litigation costs and uncertainties, though individuals with substantial documented losses exceeding the $15,000 cap sometimes pursue separate claims.

How does Talli ensure the security of settlement payments?

Talli's platform incorporates multiple security layers specifically designed for legal settlement disbursements. Fraud mitigation includes identity verification protocols, audit logs tracking every transaction, and OFAC screening ensuring compliance with sanctions requirements. Complete fund segregation maintains dedicated accounts for each settlement, preserving Qualified Settlement Fund (QSF) ownership and simplifying regulatory reporting. The platform's KYC processes verify claimant identities while W-9 collection ensures proper tax documentation. Banking services through Patriot Bank, N.A., Member FDIC, provide additional regulatory oversight, while real-time monitoring enables immediate detection of suspicious activity patterns.