The suits, filed Thursday, allege the company was negligent and gained unjust enrichment for failing to protect the personal data of MGM Resorts customers from the alleged social engineering attack.
The plaintiffs separately claim MGM should have been aware of the risk of attack because of prior warnings by Okta that it had been repeatedly targeted for social engineering attacks and failed to take steps necessary to protect customer data.
MGM Resorts on Wednesday said hotel and casino operations were back to normal, after more than 10 days of disruption to the company’s casino, reservations system, digital room keys, payments and other operational issues.
While MGM Resorts restored operations, providing a list of a frequently asked questions, the company is still experiencing lingering concerns. MGM told guests to monitor their MGM Rewards Mastercard account for any potential fraud.
Security researchers linked threat groups Scattered Spider and AlphV/BlackCat to the MGM Resorts attack, saying the groups may have worked together. One group may have used the ransomware as a service infrastructure of the other group to carry out the attacks, researchers said.
AlphV/BlackCat previously claimed to have gained super administrator privileges in the Okta environment inside MGM Resorts and global administrator privileges inside the Azure tenant at the company.
The hackers also claimed to have launched ransomware attacks against 100 of the company’s ESXi hypervisors.
MGM Resorts previously disclosed a cyber incident in a filing with the Securities and Exchange Commission, but has not responded to a request for comment about the litigation.
The FBI said it is investigating and the Cybersecurity and Infrastructure Security Agency confirmed it was assisting in the response. Okta also confirmed it was helping MGM Resorts respond to the attack, but denied its environment was compromised by the attack.
The Federal Trade Commission declined to comment regarding whether it has received any complaints or is investigating MGM Resorts over its data security practices. A spokesperson said the agency does not generally comment on any current or potential investigations.
MGM Resorts is no stranger to cyberattacks — the company was targeted in 2019 by hackers who stole the personal data of more than 10.6 million guests and posted that information online in 2020.
The Nevada Gaming Control Board earlier this month said it was monitoring the current situation along with Gov. Joe Lombardo. Earlier this month Caesars Entertainment disclosed it was hacked in a social media attack that led to the theft of its rewards member database.