Analysis: MGM Data Breach Highlights Growing Concern For Sports Betting Industry

Written By

Updated on


MGM Resorts recently outlined details of a cyberattack in their 8-K earlier this month that some MGM Rewards customers who had signed up for accounts prior to March 2019 may have had some critical information stolen by cybercriminals including driver’s license numbers, and social security numbers.

The revelation follows a lawsuit filed in January alleging that BetMGM failed to protect customer data that later was dismissed voluntarily by the plaintiff. BetMGM is, however, likely not celebrating just yet, as the plaintiff in the proposed class-action lawsuit has dismissed the claims without prejudice, which can mean they will be back to try again. The dismissal of lawsuits is often done with prejudice, meaning it cannot be brought back.

It is not clear if the plaintiff does actually intend to refile. However, the latest revelations likely indicate more lawsuits over handling of customer data could be on the horizon.

What happened in original BetMGM lawsuit?

Back in March, United States Magistrate Judge Edward S. Kiel of the District of New Jersey sent a letter to counsel scheduling an initial telephone conference to both sides in the case, which was slated for March 16. The plaintiff’s attorney, however, filed a notice under Federal Rule of Civil Procedure 41 (a) that the action against BetMGM was being dismissed without prejudice. That sent everyone home, but allowed the plaintiff to come back and refile the case at a later time.

What is Rule 41(a)?

Rule 41(a) of the Federal Rules of Civil Procedure addresses voluntary dismissal by the plaintiff. In cases such as this one, where the plaintiff seeks to dismiss the case without a court order, they can do so provided that the other party has not yet served an answer nor filed a motion for summary judgment.

The effect of the plaintiff’s voluntary dismissal is deemed without prejudice, provided that the plaintiff has not already dismissed an action based on the same claim.

What was BetMGM case about in the first place?

The complaint in the case was filed back on January 11 in federal court in New Jersey by Jeremy Medina, on behalf of himself and others similarly situated against BetMGM, LLC. The case stems from allegations that BetMGM failed:

to properly secure and safeguard the personally identifiable information that it collected and maintained as part of its regular business practices, including, but not limited to: full names; contact information; dates of birth; Social Security numbers; and other sensitive information.

This followed an allegation that BetMGM became aware of a data breach in late November 2022 that reportedly occurred in May 2022. According to the complaint, the plaintiff alleges that certain BetMGM patron data was “obtained in an unauthorized manner.”

The complaint cites Security Week, a cybersecurity website that reported that BetMGM data of more than 1.5 million customers was reportedly being offered for sale.

Too long for MGM to respond?

The complaint alleges that BetMGM’s delay in not notifying customers until December 21 was too long, and the time period between learning of the incident and notifying the plaintiff and similarly situated customers exposed them to “significant risk of identity theft and various other forms of personal, social, and financial harm.”

The complaint goes on to allege that BetMGM failed to adequately protect the plaintiff’s and the class’s personal information. In this regard, the plaintiff claimed that BetMGM’s conduct was negligent and “violate[d] federal and state statutes.”

Alleged losses?

The complaint alleges that the plaintiff and class members suffered losses as a result of the breach that included:

Legal claims in MGM data hack case

The complaint alleged several counts related to the reported breach. The first is that BetMGM was negligent and breached its duty of care:

to use reasonable means to secure and safeguard their computer property—and Class Members’ PII [personal information] held within it— to prevent disclosure of the information, and to safeguard the information from theft.

The complaint argued that BetMGM was in a special relationship with the plaintiff and class members because BetMGM was entrusted with the plaintiff and class members’ confidential information.

Did MGM do enough?

The second count in the complaint alleged negligence per se by “failing to use reasonable measures to protect” the personal information of consumers.

The third count in the complaint alleged that BetMGM breached an implied contract with the plaintiff and the class, whereby it was believed by the plaintiff that there was an agreement that the defendant would safeguard the personal information provided. When a breach occurred, that implied promise was broken.

The plaintiff and the proposed class made numerous other claims including violation of the New Jersey Consumer Fraud Act.

What to make of all this?

Data breaches are becoming increasingly common, especially in areas where lots of money is involved. The gambling industry is a natural target, much like the banking industry or other heavily regulated fields where a great deal of personal information is needed to verify customer identities.

While this case has been dismissed without prejudice and might be back, even if the plaintiff does not try to bring the case again, it is certain to not be the last lawsuit stemming from a data breach in the industry. The victory in the Medina case is likely a small one at this point, especially as MGM is also facing a lawsuit alleging that the use of “risk free” and “free” bets was deceptive to consumers.

Similar lawsuits have also been filed against Caesars and PointsBet, raising the possibility that we end up with a consolidated case involving much of the online sports betting industry. In fact, it appears the number of lawsuits surrounding promotional language is beginning to snowball.