MGM Resorts International and the Federal Trade Commission (FTC) reached a settlement of a contentious legal dispute triggered by a severe cyberattack on MGM in September 2023, which resulted in considerable operational and financial upheaval. The cyberattack, which disrupted MGM’s operations extensively, led to a lawsuit involving a civil investigative demand (CID) issued by the FTC to delve into the casino operator’s data security practices.

Withdrawal of the CID:

Recent developments indicate that the FTC plans to retract its CID, marking a pivotal turn in the ongoing dispute. According to Las Vegas Review-Journal, a letter from FTC Chairman Andrew Ferguson to MGM’s legal representative, Brian Boyle, communicated the decision to withdraw the demand. This letter, shared with the media, effectively signals the cessation of the FTC’s demands, previously aimed at investigating whether MGM’s security measures were adequate under consumer protection laws.

The cyberattack in question had far-reaching consequences for MGM, leading to significant operational disruptions. Slot machines went offline, smartphone room access was interrupted, and credit card systems malfunctioned, necessitating manual transaction processing. The attack not only affected onsite ATMs but also disabled the company’s telephone systems, severely impacting guest services and business operations.

In response to the FTC’s January 2024 CID, which requested information across numerous categories spanning several years, MGM contested the relevance of much of the demanded data and unsuccessfully sought an extension for submission deadlines. MGM’s resistance escalated to legal action in April, challenging the FTC’s jurisdiction and alleging a conflict of interest due to then-Chair Lina Khan’s presence at an MGM property during the attack.

Legal proceedings and settlement:

MGM’s legal pushback led to a lawsuit in the U.S. District Court for the District of Columbia, citing violations of MGM’s Fifth Amendment rights and accusing Khan of a conflict of interest. Concurrently, the FTC filed its lawsuit in Nevada, emphasizing its role in protecting consumers affected by MGM’s data breaches, including a prior incident in February 2019.

The case progressed through various legal challenges, with MGM prevailing in a key December ruling that questioned the FTC’s jurisdiction and the application of financial regulations to MGM’s operations, traditionally viewed within the hospitality sector, not financial services. This ruling also highlighted MGM’s arguments against the FTC’s authority to enforce such comprehensive data security standards on a casino operator.

The legal wrangling has culminated in both parties agreeing to dismiss the case without prejudice, with each bearing its own legal costs, as per recent court filings. This resolution is part of what is termed a “global settlement,” under which MGM has agreed to compensate affected consumers. Individuals whose sensitive data was compromised will be eligible for financial compensation and credit monitoring services, reflecting MGM’s commitment to rectifying the repercussions of the breach on its patrons.