Boyd Gaming Corporation, a major casino and entertainment company, suffered a cyber breach in September 2025 where unauthorized actors infiltrated its internal systems and exfiltrated confidential data. The stolen information included employee records (such as Social Security numbers) and data from a limited number of other individuals. While casino and hotel operations remained unaffected, the breach triggered legal action from a former employee, Scott Levy, who filed a class-action lawsuit alleging negligence, breach of implied contract, and violations of Nevada’s Consumer Fraud Act. The lawsuit argues Boyd’s security measures were inadequate, as the company admitted personal data was stolen—not merely accessed. The incident follows a trend of escalating cyberattacks on the gaming sector, with prior high-profile cases like Caesars Entertainment (paid $15M ransom) and MGM Resorts (lost ~$100M in disruptions). Boyd is cooperating with cybersecurity experts and law enforcement, but the breach underscores growing legal, financial, and reputational risks tied to data exposure in the industry.
TPRM report: https://www.rankiteo.com/company/boyd-gaming
"id": "boy1692216092925",
"linkid": "boyd-gaming",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Limited number of individuals '
'(employees and customers)',
'industry': ['Gaming', 'Hospitality', 'Entertainment'],
'location': 'Las Vegas, Nevada, USA',
'name': 'Boyd Gaming Corporation',
'size': 'Large (operates 11 casinos in Las Vegas '
'Valley and nearly a dozen more across 10 '
'states)',
'type': 'Public Company'}],
'customer_advisories': ['Encouragement to monitor for fraud/identity theft',
'Legal action considerations for affected parties'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Employee Data',
'Customer Data',
'Social Security Numbers',
'PII']},
'date_publicly_disclosed': '2025-09-23',
'description': 'Boyd Gaming Corporation, a major casino and entertainment '
'company, disclosed a cybersecurity breach in September 2025 '
'where unauthorized actors stole confidential employee and '
'customer data. The breach prompted a lawsuit alleging '
'negligence, while the company assured that casino and hotel '
'operations remained unaffected. Boyd enlisted external '
'cybersecurity experts and federal law enforcement to '
'investigate the incident, which is part of a broader trend of '
'cyberattacks targeting the gaming sector.',
'impact': {'brand_reputation_impact': 'Moderate (legal action and regulatory '
'scrutiny)',
'data_compromised': ['Employee Records',
'Customer Records',
'Social Security Numbers',
'Personally Identifiable Information (PII)'],
'identity_theft_risk': 'High (Social Security numbers and '
'sensitive data exposed)',
'legal_liabilities': ['Lawsuit filed by former employee (Scott '
'Levy)',
'Potential class action',
'Allegations of negligence, breach of '
'implied contract, unjust enrichment, and '
'violations of the Nevada Consumer Fraud '
'Act'],
'operational_impact': 'None (casino and hotel operations remained '
'unaffected)',
'systems_affected': ['Internal IT Systems']},
'initial_access_broker': {'high_value_targets': ['Employee Data',
'Customer Data']},
'investigation_status': 'Ongoing (collaboration with federal law enforcement '
'and external cybersecurity experts)',
'motivation': ['Data Theft',
'Potential Financial Gain',
'Fraud/Identity Theft'],
'ransomware': {'data_exfiltration': True},
'references': [{'date_accessed': '2025-09-23',
'source': 'U.S. Securities and Exchange Commission (SEC) '
'Filing'},
{'source': 'U.S. District Court in Nevada (Scott Levy v. Boyd '
'Gaming Corporation)'},
{'source': 'Cybersecurity Analyst Reports on Casino Industry '
'Targeting'},
{'source': 'Historical Context: Caesars Entertainment ($15M '
'ransom, 2023) and MGM Resorts ($100M losses, '
'2023)'}],
'regulatory_compliance': {'legal_actions': ['Lawsuit by Scott Levy (former '
'employee)',
'Potential class action'],
'regulations_violated': ['Potential violations of '
'the Nevada Consumer Fraud '
'Act'],
'regulatory_notifications': ['U.S. Securities and '
'Exchange Commission '
'(SEC)',
'Regulators and '
'government agencies '
'(ongoing)']},
'response': {'communication_strategy': ['SEC filing',
'Notifying affected individuals',
'Regulatory disclosures'],
'incident_response_plan_activated': True,
'law_enforcement_notified': True,
'third_party_assistance': ['Leading external cybersecurity '
'experts']},
'stakeholder_advisories': ['Notification to affected individuals',
'Regulatory disclosures'],
'title': 'Boyd Gaming Corporation Data Breach (2025)',
'type': ['Data Breach', 'Unauthorized Access']}