Boyd Gaming is dealing with a growing wave of lawsuits after admitting that hackers managed to penetrate its IT systems and steal sensitive data from employees and others.
Plaintiff on Boyd’s Cybersecurity: “Completely Inadequate”
No less than four law firms have already filed five separate class-action suits representing thousands of potential plaintiffs since last week, accusing the casino entertainment company of failing to provide the mandatory safeguards to keep their personal information safe. The lawsuits include current and former employees alongside customers.
The first complaint came last Thursday from Scott Levy, a former Boyd Gaming employee living in Las Vegas. On Monday, five more people were added as plaintiffs: Deandric Price of Las Vegas, Sherekia Price of Louisiana, Larry Harris of Texas, Patricia Tiedtke of Cincinnati, and Holly Neely, whose residence was not disclosed.
Levy’s filing called the company’s cybersecurity “completely inadequate” as they enabled criminals to access what he described as “a treasure trove” of private information. The man also explained he has experienced a rise in spam calls and phishing texts since the breach, and that Boyd has not directly notified him about the exposure.
Boyd acknowledged the cyberattack in a September 23 Securities and Exchange filing, saying that “an unauthorized third party” accessed their internal IT system and stole data tied to employees and “a limited number of other individuals.”
The company stressed it “promptly took steps to respond to the incident with the assistance of leading external cybersecurity experts and in cooperation with federal law enforcement authorities,” and that casino operations did not suffer.
Boyd added that it carries cybersecurity insurance, which, they believe, should suffice to cover the costs linked to the breach, including investigations, lawsuits, and possible regulatory fines.
While several lawsuits allege that the hackers were active between September 5 and 7, Boyd has not confirmed when the breach occurred, what exact data was taken, or whether any ransom was paid.
Ongoing Cyberattacks
This is the latest on a disturbingly long list of high-profile cyberattacks that have been targeting the gaming industry in Nevada recently. Two years ago, both MGM Resorts and Caesars Entertainment were hit in attacks linked to a group known as Scattered Spider.
Last month, Las Vegas police apprehended a teenager for his alleged ties with the 2023 “sophisticated network intrusions,” which they attributed to “an organized threat-actor group known by several names to include Scattered Spider, Octo Tempest, UNC3944, and/or oktapus.”
More recently, Nevada’s own state systems were offline for three weeks after a cyber incident. In September, Gov. Joe Lombardo confirmed almost all of the state’s websites were back online.