Las Vegas casinos once again become the target of cybercrime. Wynn Resorts recently confirmed a "cybersecurity incident," with approximately 800,000 records containing sensitive employee information stolen by the hacker group ShinyHunters, and a ransom of $1.5 million demanded. Although the hackers claimed to have deleted the data, the incident has triggered two federal class-action lawsuits. Simply put, this is a real-world test for Nevada's new 24-hour cyber incident reporting regulation that just took effect this year. Want to know how casino giants are dealing with escalating cyber threats? Follow industry security updates continuously on the PASA official website.
First, Attack Details: Hackers demand $1.5 million, company claims data deleted
On February 20, the hacker group ShinyHunters claimed to have launched an attack on Wynn, setting March 3 as the deadline for the ransom. Wynn issued a statement on March 4, acknowledging that "an unauthorized third party had accessed some employee data," but stated that the party "claimed the stolen data had been deleted," and the company "found no evidence of any data being disclosed or misused."
According to tech media The Register, the incident involved about 800,000 records, mainly concerning sensitive employee information, with customer data unaffected.
Second, Legal Consequences: Two class-action lawsuits, claims exceeding $5 million
The incident quickly led to legal action:
First lawsuit: California resident and Wynn customer Richard Reed filed a class-action lawsuit, accusing the company of negligence in handling information (although customer data was unaffected)
Second lawsuit: Former employee Drake Menard filed a class-action lawsuit, accusing the company of lacking "adequate data security measures," with claims amounting to "over $5 million"
Wynn has not commented on the lawsuits but confirmed it is providing credit and identity theft protection services to affected employees.
Third, Regulatory New Rule: 24-hour reporting deadline faces its first test
Nevada revised its cybersecurity reporting rules in January this year, reducing the time for operators to notify regulatory authorities of an incident from 72 hours to 24 hours (from the start of the incident response procedure). Regulators believe that even though this may increase the number of false reports, enhanced communication is necessary.
Wynn confirmed to iGB that this was the company's first encounter with an attack since the new regulation took effect. The Nevada Gaming Control Board has not disclosed whether this is the first report under the new rule.
Fourth, Industry Background: Casinos become a "preferred target" for hackers
Las Vegas casinos have become a major hotspot for cybercrime in recent years. A study by UNLV last year showed that from 2007 to 2023, Nevada gaming companies experienced over 50 confirmed cyber incidents, most concentrated in the last decade. Researchers noted: "Casinos are opportunistic targets—numerous cyber entry points, large amounts of money, and relatively low public attention after attacks."
In the past three years, giants like Caesars, MGM, and Boyd have all been attacked:
MGM: The 2023 attack caused the system to be paralyzed for over a week, with losses of about $100 million (ransom not paid)
Caesars: Paid a ransom of $15 million in the same year
Last September, a teenager related to these attacks was arrested in Nevada; in 2024, another suspected teenager was arrested in the UK.
————
This article is from "PASA-Global iGaming Leaders," a gambling industry news channel: https://t.me/pasa_news
Original in-depth gambling channel: https://t.me/gamblingdeep
Free data reports: @pasa_research
PASA Matrix: @pasa002_bot
PASA official website: https://www.pasa.news
