Over 1.5 Million BetMGM Customers Allegedly Affected By Data Breach
A class action lawsuit was recently filed against online gambling giant BetMGM for failing to adequately protect users’ personal identifying information (PII).. As a result, up to 1.5 million current and former users are now at risk for identity theft.
The suit alleges that BetMGM came under cyber attack in May 2022, but that the attack was not discovered until November 28th.
Inadequate Security Measures Lead To Data Breach
According to the lawsuit, BetMGM “recklessly” failed to take reasonable steps to secure current and former users’ PII. These failures include industry wide practices of encrypting and or redacting highly sensitive information. Had they done so, the hackers “would have made off with only unintelligible data.”
BetMGM Fails To Notify Victims In A Timely Manner
The lawsuit also alleges that BetMGM failed to notify victims of the attack in a timely manner that their personal identifying information had been compromised. Despite learning of the attack six months after it had taken place, BetMGM waited until late December before it began to notify victims of the attack.
Letter Sent To Victims Amounts To No Real Disclosure At All
BetMGM’s letter sent to victims fails to inform with any degree of specificity details of the attack or facts pertaining to the breach. Absent from the notice are such things as –
- date of attack,
- why it to the company months to discover it, how the hackers gained access,
- the precise data that was stolen and
- what steps the company is taking to safeguard consumers’ information.
The letter informs its users that they are entitled to one free credit report each year and advises them to remain vigilant by reviewing their account statements.
Dark Web Offers Database of Stolen BetMGM Data For Sale
While BetMGM waits to disclose the specifics of the May data breach to its customers, the likely attackers are already selling it online.
On December 21st, the threat actor named “betmgmhacked” disclosed in an online hacking forum that the stolen information is available for sale. The post reports –
“We breached BetMGM’s casino database current as of Nov 2022. This database is inclusive of every BetMGM casino customer (over 1.5M) as of November 2022 from MI, NJ, ON, PV, and WV. Any customer that has placed a casino wager is included in this database.”
It also claims to include data sets belonging to players from BetMGM casinos in New Jersey and Pennsylvania, as well as a “Master Casino” data set with information on customers from all states (all customer records include phone number, email, and address info, according to the threat actor).
BetMGM’s Offer Of Two Years Identity Theft And Credit Monitoring Wholly Inadequate
BetMGM has purportedly offered victims two years of identity and credit monitoring, but the filing deems this “wholly inadequate” as the consequences of the data breach may take years to manifest.
Ritesh Kotak who is a cyber security expert recently shared his thoughts on cyber-attacks. He said that any type of attack is dangerous as personal identifying information can become available to hackers to leverage. In his words, after such an online breach and data leak, it is almost impossible to revert the damage that has been done to individuals.
The lawsuit looks to represent anyone in the USA identified by BetMGM as among those who were impacted by the data breach announced in December 2022, including those who were sent notice of the breach.