MGM's $4M Payout for Data Breaches: A Test for Canadian Consumer Rights

MONTREAL, QC – April 17, 2026 – MGM Resorts International is proposing a CAD $4,000,000 settlement to resolve class-action lawsuits in Canada stemming from two significant data breaches that exposed the personal information of millions of its customers. The proposed settlement, which covers confidentiality incidents in 2019 and 2023, is awaiting approval from the Superior Court of Québec, with a hearing scheduled for May 20, 2026.

While the global hospitality giant denies all allegations and liability, the agreement marks a crucial step toward compensating Canadian residents whose data was compromised. The settlement aims to close a contentious chapter for the company, which has faced intense scrutiny over its cybersecurity practices, while providing a pathway for affected individuals to claim damages.

The Settlement: What's on the Table for Canadians

The CAD $4 million Settlement Fund is designed to compensate a wide range of harms experienced by Canadian class members. After deducting court-approved legal fees—expected to be around CAD $1.2 million plus taxes and disbursements—and administration costs, the remaining funds will be available for distribution.

Affected individuals can file claims for several categories of compensation:

• Substantiated Losses: Claimants can seek reimbursement for documented, out-of-pocket losses directly resulting from the data breaches, up to a maximum of CAD $20,000 per person. This requires providing reasonable supporting documentation, though the notification letter from MGM itself is not considered sufficient proof.

• Future Credit Monitoring: The settlement provides for the reimbursement of up to one year of future credit monitoring services to help victims protect themselves against potential fraud.

• Unsubstantiated Losses: Recognizing the difficulty in proving direct financial harm, the settlement includes a provision for unsubstantiated losses. Individuals affected by one breach can claim up to CAD $150, while those impacted by both the 2019 and 2023 incidents can claim up to CAD $300. These amounts could be adjusted proportionally—either up or down—depending on the total number of claims filed. The maximum potential payout for this category is capped at CAD $500 for a single incident and CAD $1,000 for both.

Class members are all persons in Canada whose personal or financial information was compromised in the September 2023 breach, with the settlement also resolving claims related to the July 2019 incident. Those wishing to participate must submit a claim form by a future deadline, which will be posted on the official settlement website, www.MGMDataSettlement.ca. Individuals who do not wish to be bound by the settlement must opt out by May 17, 2026.

In the legal notice, MGM maintains that it is settling to “avoid the risk and expense of continued litigation” and that “No court has found MGM liable.”

A Tale of Two Breaches: How Millions Were Exposed

This settlement addresses two separate but significant security failures at the casino and resort behemoth. The first incident, in July 2019, saw hackers access a cloud server containing the data of approximately 10.6 million guests. The compromised information included names, addresses, phone numbers, email addresses, and dates of birth. The data was later found circulating on hacking forums, putting millions at risk of targeted phishing and identity theft.

The second incident, in September 2023, was far more disruptive and public. Attributed to the ransomware group Scattered Spider, the attack began with a simple but effective social engineering ploy—a phone call, or 'vishing'—to an IT help desk. Once inside the network, the attackers deployed ransomware that crippled MGM’s operations for nearly a week. The cyberattack shut down hotel booking systems, electronic key cards, ATMs, and slot machines, leading to an estimated $100 million in Q3 losses for the company.

This more recent breach exposed the data of over 37 million customers, including sensitive information like driver's license and passport numbers for a subset of individuals. The incident highlighted a pattern of vulnerability, especially following a 2022 data breach at the company’s co-owned betting platform, BetMGM, which affected another 1.5 million customers.

In response to the 2023 attack, MGM stated it shut down systems to contain the threat and engaged cybersecurity experts. The company has since pledged $50 million to upgrade its cybersecurity defenses, focusing on enhanced endpoint protection, cloud security, and employee training to prevent similar social engineering attacks.

Is $4 Million Enough? A Look at the Numbers

While the CAD $4 million settlement offers a measure of recourse, its adequacy is a subject of debate. When compared to the US settlement for the same breaches—which totaled US $45 million (approximately CAD $61.5 million)—the Canadian fund appears modest. This vast difference highlights the disparate legal landscapes and potential damages awarded across jurisdictions.

Furthermore, the settlement fund is less than the average cost a single Canadian organization faces for a data breach, which was estimated at CAD $6.32 million in 2024. This figure, which includes costs for detection, legal services, and lost business, provides context for the financial scale of such incidents.

After legal counsel requests its CAD $1.2 million fee, plus administrative costs, the net fund available to potentially millions of Canadian victims will be significantly smaller. The challenge for many will be proving “substantiated losses,” a notoriously difficult task that requires direct, documented links between the breach and a financial loss. For this reason, the inclusion of compensation for “unsubstantiated losses” is a critical component of the deal, acknowledging the time, stress, and intangible harm that victims suffer.

A Wake-Up Call for Corporate Canada

The MGM case serves as a potent reminder of the escalating stakes in corporate data protection. The repeated breaches underscore that cybersecurity is not a one-time investment but a continuous battle against evolving threats. The 2023 attack's reliance on social engineering, in particular, demonstrates that the human element remains a critical, and often overlooked, vulnerability.

This settlement arrives as Canada’s privacy laws undergo a significant overhaul. Quebec’s new privacy legislation, Law 25, has already introduced some of the strictest data protection rules in North America, with fines reaching up to $25 million or 4% of global turnover. At the federal level, the proposed Consumer Privacy Protection Act (Bill C-27) aims to grant individuals more control over their data and impose steeper penalties for non-compliance.

These legislative changes signal a new era of corporate accountability. Companies operating in Canada are facing increased pressure to not only prevent breaches but also to respond transparently and effectively when they occur. For the millions of Canadians affected by the MGM breaches, this settlement offers a form of closure and compensation. For the broader corporate world, it stands as a clear warning: in the digital age, protecting customer data is no longer just good practice—it is a fundamental and legally enforceable responsibility.