Boyd Gaming Corp., a major Las Vegas-based casino operator with 11 properties in the Las Vegas Valley and additional locations across 10 U.S. states, suffered a cyberattack in early September 2023 (reportedly between **September 5–7**). The breach involved unauthorized access and exfiltration of **employee data and records tied to a limited number of other individuals**, including customers and former employees. The company delayed notifying victims, with lawsuits alleging negligence in safeguarding personal information and failing to disclose the breach promptly. Multiple class-action lawsuits—filed by employees, ex-employees, and customers from Nevada, Texas, Louisiana, and Ohio—accuse Boyd of **breach of implied contract, negligence, invasion of privacy, and unjust enrichment**. The SEC filing confirmed data theft, but Boyd has not clarified whether ransomware was involved or if a ransom was paid. The incident impacts **thousands of individuals**, raising concerns over financial fraud, identity theft, and reputational damage to the company. Plaintiffs claim Boyd **intentionally obscured the breach’s scope**, including how hackers accessed sensitive data and the duration of unauthorized access.
TPRM report: https://www.rankiteo.com/company/boyd-gaming
"id": "boy5992559100125",
"linkid": "boyd-gaming",
"type": "Breach",
"date": "9/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Thousands (employees, '
'ex-employees, and customers)',
'industry': 'Gaming/Hospitality',
'location': 'Las Vegas, Nevada, USA',
'name': 'Boyd Gaming Corp.',
'size': 'Large (11 casinos in Las Vegas Valley, ~12 '
'other locations across 10 states)',
'type': 'Corporation'}],
'customer_advisories': ['Delayed Notifications to Affected Individuals'],
'data_breach': {'data_exfiltration': 'Yes',
'number_of_records_exposed': 'Several Thousand',
'personally_identifiable_information': ['Names',
'Employee Data',
'Customer Data '
'(potential)'],
'sensitivity_of_data': 'High (PII)',
'type_of_data_compromised': ['Personally Identifiable '
'Information (PII)',
'Employee Records']},
'date_detected': '2023-09-06',
'date_publicly_disclosed': '2023-09-23',
'description': 'A cyberattack against Boyd Gaming Corp., a Las Vegas-based '
'casino company, resulted in the theft of personally '
'identifying information (PII) of employees, ex-employees, and '
'customers. The breach was discovered in early September 2023, '
'with unauthorized activity occurring between September 5–7. '
'The company delayed notifying victims and has faced multiple '
'class-action lawsuits alleging negligence, failure to '
'safeguard data, and lack of transparency. The attackers '
'exfiltrated employee data and records tied to a limited '
'number of other individuals. Boyd operates 11 casinos in Las '
'Vegas and nearly a dozen other gaming locations across 10 '
'U.S. states.',
'impact': {'brand_reputation_impact': ['Negative Publicity', 'Loss of Trust'],
'customer_complaints': ['Multiple Lawsuits Filed'],
'data_compromised': ['Personally Identifiable Information (PII)',
'Employee Records'],
'identity_theft_risk': ['High (PII Exposed)'],
'legal_liabilities': ['Four Class-Action Lawsuits (Nevada, '
'Louisiana, Texas, Ohio)',
'Allegations of Negligence',
'Breach of Implied Contract',
'Invasion of Privacy']},
'initial_access_broker': {'high_value_targets': ['Employee Data',
'Customer PII']},
'investigation_status': 'Ongoing (Lawsuits Pending)',
'motivation': ['Data Theft', 'Financial Gain'],
'post_incident_analysis': {'root_causes': ['Inadequate Data Protection '
'Measures',
'Delayed Incident Response']},
'ransomware': {'data_exfiltration': 'Yes'},
'references': [{'source': 'Las Vegas Review-Journal'},
{'date_accessed': '2023-09-23',
'source': 'U.S. Securities and Exchange Commission (SEC) '
'Filing'}],
'regulatory_compliance': {'legal_actions': ['Four Class-Action Lawsuits '
'(Filed in U.S. District Court, '
'Nevada)'],
'regulatory_notifications': ['SEC Filing '
'(2023-09-23)',
'Planned Notifications '
'to '
'Regulators/Government '
'Agencies']},
'response': {'communication_strategy': ['Delayed Victim Notification',
'SEC Filing on 2023-09-23'],
'incident_response_plan_activated': 'Yes (Investigation '
'Conducted)',
'remediation_measures': ['Notification of Affected Individuals',
'Regulatory Disclosures (SEC Filing)']},
'stakeholder_advisories': ['SEC Filing', 'Victim Notification Letters'],
'title': 'Boyd Gaming Corp. Data Breach (September 2023)',
'type': ['Data Breach', 'Cyberattack']}