Boyd Gaming Corporation, a major U.S. gambling and hospitality company operating 28 casinos and online gaming platforms, suffered a data breach in early September 2025. An unauthorized third party gained access to its internal IT systems between **September 5–7, 2025**, exfiltrating sensitive personally identifiable information (PII) of customers. The compromised data included **names, addresses, Social Security numbers, driver’s license numbers, government-issued ID numbers (e.g., passports), and dates of birth**. The breach impacted thousands of individuals across multiple states, with **4,300 affected in Texas alone**. Boyd Gaming notified regulators, attorney general offices, and the **U.S. Securities and Exchange Commission (SEC)**. While the company offered **two years of free credit monitoring and identity protection services**, the exposure of high-risk PII (e.g., SSNs, driver’s licenses) poses significant long-term risks, including **identity theft, financial fraud, and unauthorized account access**. Legal firms are investigating potential class-action lawsuits, as affected individuals may be entitled to compensation for the **unauthorized exposure of their sensitive data**, even if no immediate fraud has occurred. The breach underscores vulnerabilities in Boyd Gaming’s cybersecurity defenses, particularly given the **targeted extraction of highly sensitive customer records** by external threat actors.
Source: https://www.claimdepot.com/investigations/boyd-gaming-data-breach-2025
TPRM report: https://www.rankiteo.com/company/boyd-gaming
"id": "boy1002810100425",
"linkid": "boyd-gaming",
"type": "Breach",
"date": "5/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '4,325+ (e.g., 4,300 in Texas, '
'25 in Maine)',
'industry': 'Gambling and Hospitality',
'location': 'Paradise, Nevada, USA',
'name': 'Boyd Gaming Corporation',
'size': 'Large (28 casinos and entertainment '
'properties across 10 states, plus online '
'gaming operations)',
'type': 'Public Company'}],
'customer_advisories': 'Boyd Gaming offered two years of free credit '
'monitoring and identity protection (IDX); legal '
'remedies may be available',
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': '4,325+ (exact total '
'undisclosed)',
'personally_identifiable_information': 'Yes (names, '
'addresses, SSNs, '
'driver’s license '
'numbers, '
'government-issued '
'IDs, dates of birth)',
'sensitivity_of_data': 'High (includes SSNs, driver’s license '
'numbers, and government-issued IDs)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Sensitive Identification '
'Documents']},
'date_detected': '2025-09-06',
'description': 'Boyd Gaming Corporation, a major American gambling and '
'hospitality company, experienced a cybersecurity incident in '
'September 2025 involving unauthorized access to its internal '
'IT systems. An unauthorized third party exfiltrated sensitive '
'personally identifiable information (PII) of individuals, '
'including names, addresses, Social Security numbers, driver’s '
'license numbers, government-issued ID numbers, and dates of '
'birth. The breach impacted at least 4,325 individuals across '
'multiple states, with notifications sent to regulators, '
'attorney general offices, and the U.S. Securities and '
'Exchange Commission (SEC). Boyd Gaming is offering two years '
'of free credit monitoring and identity protection services to '
'affected individuals.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive customer data',
'data_compromised': ['Name of individual',
'Address',
'Social Security number',
'Driver’s license number',
'Government-issued ID number (e.g., passport, '
'state ID card)',
'Date of birth'],
'identity_theft_risk': 'High (due to exposure of SSNs, driver’s '
'license numbers, and other PII)',
'legal_liabilities': 'Potential lawsuits and regulatory scrutiny '
'(e.g., SEC, state attorneys general)',
'systems_affected': 'Internal IT systems'},
'investigation_status': 'Ongoing (external cybersecurity experts and law '
'enforcement involved)',
'ransomware': {'data_exfiltration': 'Yes'},
'recommendations': ['Monitor credit reports and accounts for suspicious '
'activity',
'Place a fraud alert or security freeze on credit files',
'Utilize offered credit monitoring and identity '
'protection services (IDX)',
'Contact state attorney general’s office for guidance',
'Consider legal action if affected'],
'references': [{'source': 'Shamis & Gentile P.A. Investigation Notice'}],
'regulatory_compliance': {'legal_actions': 'Potential class-action lawsuits '
'(under investigation by Shamis & '
'Gentile P.A.)',
'regulatory_notifications': ['State attorney '
'general offices '
'(e.g., Texas, Maine)',
'U.S. Securities and '
'Exchange Commission '
'(SEC)']},
'response': {'communication_strategy': 'Notifications sent to affected '
'individuals, regulators, and state '
'attorney general offices; SEC filing',
'incident_response_plan_activated': 'Yes (with external '
'cybersecurity experts)',
'law_enforcement_notified': 'Yes (federal law enforcement)',
'recovery_measures': 'Offered two years of free credit '
'monitoring and identity protection (via '
'IDX, including dark web monitoring and '
'identity recovery services)',
'third_party_assistance': 'Yes (external cybersecurity experts)'},
'stakeholder_advisories': 'Notifications sent to affected individuals, '
'regulators, and state attorneys general',
'threat_actor': 'Unauthorized third party',
'title': 'Boyd Gaming Corporation Data Breach (2025)',
'type': 'Data Breach'}