The Bellagio. Mandalay Bay’s MGM Grand. The shimmer of Las Vegas at night, the sound of slot machines, and the scent of recycled air and carpet that hasn’t seen sunlight in years are all associated with these names. One of the biggest hospitality corporations in the world, MGM Resorts International runs establishments that millions of tourists visit annually, giving their names, addresses, passport numbers, and credit card information as casually as they tip a dealer. That information ended up somewhere it shouldn’t have for over 10 million Canadian visitors.
A proposed $4 million Canadian settlement for impacted Canadians has been reached years after two distinct data incidents—a ransomware attack in September 2023 and a breach in July 2019. A court approval hearing is set for May 25 in Vancouver. There’s a good chance that your personal information was compromised if you stayed at an MGM property, played at one of their casinos, or just made a reservation at any time during the relevant periods. Additionally, unless you actively opt out by May 19, you might be automatically included in this settlement if you reside in Canada.
According to US court documents, the 2019 hack exposed the names, home addresses, phone numbers, passport numbers, and email addresses of over 37 million MGM customers worldwide. This breach is at the heart of the British Columbia class action. In certain respects, the 2023 ransomware attack was worse since it allowed hackers to obtain not only the same contact and travel details but also, for some impacted individuals, driver’s license numbers, military identification numbers, and Social Security numbers.
ollowing the 2023 attack, MGM’s casino operations were noticeably disrupted for days. In the lobbies of some of the world’s most technologically advanced hotels, slot machines went dark and guests checked in using paper records. It was only the second time, and it was a humiliating and public breach.
Your Data Left Las Vegas — But It Didn’t Stay There: The Canadians MGM Data Settlement Explained
| Settlement Name | Canadian MGM Resorts International Data Incident Class Action Settlement |
|---|---|
| Defendant | MGM Resorts International |
| Class Actions Involved | Thandi v. MGM (BC); Zuckerman v. MGM (Quebec – 2019); Dahan v. MGM (Quebec – 2023) |
| Certifying Court | Supreme Court of British Columbia |
| Case Number (BC) | VLC-S-S-207149 |
| Representative Plaintiff (BC) | Nikitta Thandi |
| Total Settlement Fund | CAD $4,000,000 |
| Class Counsel Fees Sought | CAD $1,200,000 (plus taxes and disbursements) |
| First Data Incident | July 2019 — data breach exposing names, addresses, passport numbers, contact information |
| Second Data Incident | September 2023 — ransomware attack; added driver’s licence numbers, military IDs, Social Security numbers |
| Estimated Global Customers Affected | 37 million+ (per US court filings) |
| Canadian Customers Affected | 10.6 million+ |
| Eligible Claimants | Canadian residents (excl. Quebec) whose data was compromised in 2019 incident; Quebec residents have separate proceedings |
| Maximum Claim (Substantiated Losses) | CAD $20,000 per approved claim |
| Compensation (Unsubstantiated, One Breach) | Up to CAD $150 (or up to $500 pro rata) |
| Compensation (Unsubstantiated, Both Breaches) | Up to CAD $300 (or up to $1,000 pro rata) |
| Credit Monitoring Available | One year; up to CAD $1,000,000 in fraud/identity theft insurance |
| Opt-Out Deadline | May 19, 2026 |
| Settlement Approval Hearing | May 25, 2026 — Supreme Court of BC, 800 Smithe Street, Vancouver |
| MGM’s Position | Denies all allegations and liability; settled to avoid cost and risk of litigation |
| Class Counsel | Diamond & Diamond Lawyers LLP (BC); Lex Group Inc. (Quebec) |
| Settlement Website | mgmdatasettlement.ca |
The $4 million Canadian settlement fund is being divided among several class actions that cover both incidents and Canadian citizens who live in Quebec and those who do not. The remaining funds will be given to qualified claimants after up to $1.2 million in legal fees. For substantiated losses—that is, verified proof of actual financial harm from the breach, such as identity theft or fraudulent activity connected to the exposure—the structure permits up to $20,000 in compensation per person. Compensation is more modest for those without recorded losses: up to $150 for individuals impacted by one incident, or up to $300 for those caught in both. Depending on the number of claims filed, pro rata adjustments may be made up to $500 or $1,000.
Here, it’s important to approach the math with objectivity. The majority of eligible Canadian claimants will receive very small payments if even the entire $4 million is divided among them, unless they can show specific financial harm. This is common in data breach class actions; one of the structural frustrations of this kind of litigation is the disparity between the extent of the breach and the compensation available to individual victims. MGM, on the other hand, disputes any wrongdoing and claims that the settlement was made to avoid the expense and uncertainty of ongoing legal proceedings rather than to admit any liability.
By now, data breach settlements have come to be associated with a certain feeling. After receiving notices, filing claims, waiting months or years, and eventually receiving checks that don’t truly make up for the anxiety caused by the knowledge that their Social Security number or passport number was being traded on the black market. The Rogers outage settlement, the LastPass breach class action, and the 23andMe settlement are just a few examples of the numerous settlements that Canadians have experienced in recent years. Each one serves as a reminder that the personal information needed to open an account or reserve a hotel room carries risks that are rarely fully disclosed at the time of transaction.
The sheer visibility of what transpired in 2023 is what slightly distinguishes the MGM case. It wasn’t a low-key background breach that was found months later. A portion of the Las Vegas Strip became dark. The attack was publicly acknowledged by MGM. Every major news outlet carried the story. Even before they were notified, visitors to MGM properties during that time were aware that something was amiss. The settlement feels less like closure and more like a formal acknowledgement of something that people had already internalized because of that kind of public spectacle.
The Supreme Court of British Columbia in Vancouver will host the settlement approval hearing on May 25, 2026. When instructions are posted on the settlement website, Canadians who think they qualify and do nothing before May 19 will be automatically added to the class, subject to the settlement terms, and able to submit a claim. Before that deadline, those who wish to maintain their ability to sue MGM on their own must opt out. This decision necessitates balancing the uncertain prospect of a small settlement payment against the slim chances of individual litigation. The computation is probably simple for the majority of people. The $20,000 cap may actually be worthwhile to pursue seriously for those who have proven, significant financial losses directly related to the breach.
The precise number of eligible Canadians who will file claims and whether the pro rata adjustments will result in individual payments that are significantly higher or lower than the stated amounts are still unknown. It is evident that there is a limited window, that if you do nothing, the process will proceed automatically, and that May 19 is the most important date if you would prefer not to participate in this at all.
