Barrack, Rodos & Bacine has filed a class action lawsuit in the U.S. District Court for the District of New Jersey on behalf of victims of a data breach at BetMGM LLC. New Jersey-based BetMGM LLC describes itself as “pioneering the sports betting and online gaming industry.” The company was formed as a partnership between MGM Resorts International and Entain Holdings, and has exclusive access to all MGM U.S. in person and online sports betting. Thus, BetMGM is a major player in the world of online sports betting, providing BetMGM customers with 24/7 access to place bets on sporting events nationwide and across all leagues.
However, as alleged in BR&B’s complaint, in May 2022 a third party accessed BetMGM’s network and pilfered personally identifiable information, including names, email and postal addresses, phone numbers and birthdates, of every customer who placed a casino wager using the website of BetMGM. Although the company learned of this event in November 2022, the company waited nearly a month to notify its customers that their highly personal information, including credit card, debit card and hashed Social Security numbers, had been hacked and stolen. Specifically, on December 21, 2022, BetMGM sent email notices to its customers and announced on its website that its security had been breached and that it had learned of the violation on November 28. While it sought to assure customers that their passwords and account funds were not accessed, it also wrote: “We recommend you remain alert for any unsolicited communications regarding your personal information and review your accounts for suspicious activity.” The same day the company announced the breach, it was discovered that someone was selling the personal data on a popular cybercrime forum. The post said the database was “inclusive of every BetMGM casino customer” who had used the service. As alleged in the complaint, BetMGM’s “delayed response adversely affected plaintiff and other class members as they could have undertaken proactive measures to secure their [personal information].” Rather, BetMGM “sat on this important information to the detriment of plaintiff and the class, until defendant’s hand was forced by the cybercrime posting.”
Our complaint alleges that BetMGM’s poor security resulted in a breach of the company’s network that allowed a third party to access every BetMGM customer’s sensitive personal information. The complaint asserts that BetMGM was negligent about protecting the personal information of its customers, and that the delayed response and notification created further harm. In describing the reason for filing the case to Law360, BR&B attorneys Jeff Golan and Andrew Heo stated: “BetMGM needs to take full responsibility for allowing the data breach that has now put at risk very sensitive personal information that more than 1.5 million customers were required to provide to BetMGM. … We are especially concerned with the apparent placement of their identity credentials, including stolen credit card, debit card, and even Social Security numbers, on the dark web.”
The lawsuit seeks to force BetMGM to address the vulnerabilities in its system and to delete all personal information for which it “cannot demonstrate a reasonable and legitimate purpose for continuing to maintain possession of.” It is also looking for compensatory damages for members of the proposed class.
The case is Grippa v. BetMGM LLC, Case No. 2:23-cv-00468, in the U.S. District Court for the District of New Jersey. For more information about the case, please contact Jeff Golan at jgolan@barrack.com or Andrew Heo at aheo@barrack.com.