MGM Resorts International—the Las Vegas-based company behind major casino-resort brands like Bellagio, MGM Grand, and Aria, and also a player in online betting via BetMGM—agreed to a $45 million class action settlement tied to two separate data incidents in July 2019 and September 2023. According to the settlement materials, unauthorized actors accessed customer information that can be highly valuable for identity theft and fraud, including basic contact details and dates of birth as well as more sensitive identifiers such as driver’s license and passport numbers, military ID numbers, and Social Security numbers. The deal offers tiered cash payments (estimated $20, $50, or $75 depending on what data was exposed), reimbursement of documented losses up to $15,000, and one year of financial account monitoring, with a claim deadline of June 3, 2025. The lawsuit was filed because plaintiffs alleged MGM failed to take appropriate steps to safeguard consumer data and to prevent these breaches, causing customers to face increased risks and out-of-pocket costs (like credit freezes, monitoring, and remediation time) after their information was exposed. While MGM did not admit wrongdoing, the settlement is significant because it converts a broad “risk of harm” event into tangible remedies—cash, monitoring, and a structured reimbursement path—without the uncertainty of trial, and it reflects how costly repeated incidents can become for large brands that store expansive customer profiles for loyalty programs, bookings, and payments. More broadly, this case fits a familiar pattern in U.S. data-breach class actions, where companies often settle to avoid prolonged litigation over whether their security measures were “reasonable,” what damages are compensable, and how to value harms like identity-theft risk. The tiered payouts track a common industry approach: the more sensitive the exposed identifier (SSNs and government IDs in particular), the higher the presumed impact, while larger recoveries require proof of actual loss. It also sits within a regulatory environment shaped by state data-breach notification laws and consumer-protection enforcement, plus growing expectations around cybersecurity governance in heavily targeted sectors like hospitality and gaming, where large volumes of personally identifiable information are routinely collected and retained for marketing, reservations, and loyalty ecosystems.