An off-Strip casino-hotel in Las Vegas, OYO Hotel & Casino Las Vegas, was the target of a cyberattack between January 8 and January 11, 2025, resulting in the exposure of sensitive data belonging to approximately 4,700 guests, employees and business partners.
The breach was revealed in court filings amid ongoing legal disputes involving OYO Hotels and Highgate Hotels Inc., the management firm overseeing the property at the time, according to the Las Vegas Review-Journal.
Key Takeaways:
- OYO Las Vegas suffered a cyberattack revealing personal data of thousands
- The breach is linked to ongoing legal disputes and management issues
- Industry sees rising cyber threats prompting calls for enhanced cybersecurity measures
Las Vegas Casino-Hotel Breach Highlights Widening Cyber Risks
OYO accused Highgate of negligence and failing to take responsibility for the incident, which saw the ransomware group LockBit 3.0 leak about 30 gigabytes of internal data on the dark web.
Compromised materials included personal and financial records as well as documents related to casino operations. Following the incident, OYO issued Highgate a notice of breach and termination, citing “material and irreparable” contractual violations alongside significant financial underperformance by Highgate under their management.
The attack was publicly disclosed last month, roughly eight months after the initial breach and subsequent data leaks came to light online.
The cyberattack coincided with a labor dispute in New York involving the same companies, with Highgate contesting its removal as manager of the OYO Times Square hotel, referencing state labor laws. OYO cited the Las Vegas cybersecurity breach as evidence of inadequate IT practices during legal defenses, as reported by Casino.org.
Rising Cyber Threats Put Casino Industry on Alert
Recent months have seen a rise in cyber threats targeting Las Vegas casinos. Boyd Gaming Corp. disclosed a cyberattack this September affecting internal systems and compromising employee data but stated that casino operations were not impacted.
In September 2023, MGM Resorts International suffered a ransomware attack that disrupted hotel and casino operations for ten days, generating financial losses estimated to exceed $100 million, per the Associated Press. The news agency also reported that Caesars Entertainment encountered a concurrent breach and reportedly paid a $15 million ransom to protect customer information.
These incidents underline increasing cybersecurity vulnerabilities within the gaming industry. Cybersecurity experts have highlighted the urgent need for casinos and hospitality companies to enhance their defensive measures and improve crisis response protocols.
