Boyd Gaming

Boyd Gaming, a major casino entertainment company, suffered a cyber breach where an unauthorized third party infiltrated its IT systems and exfiltrated sensitive data belonging to current/former employees and a limited number of customers. The breach has triggered five class-action lawsuits, with plaintiffs—including employees and customers—alleging negligence in cybersecurity safeguards. The stolen data reportedly includes personal information, leading to increased spam calls and phishing attempts for affected individuals. While Boyd Gaming confirmed the incident in an SEC filing and claimed casino operations remained unaffected, it has not disclosed the exact timeline, scope of stolen data, or whether a ransom was paid. The company is relying on cybersecurity insurance to cover investigation costs, lawsuits, and potential regulatory fines. The breach aligns with a broader trend of cyberattacks targeting Nevada’s gaming industry, following similar incidents at MGM Resorts and Caesars Entertainment in 2023.

Source: https://www.gamblingnews.com/news/boyd-gaming-hit-with-five-lawsuits-after-data-breach/

TPRM report: https://www.rankiteo.com/company/boyd-gaming

"id": "boy5993359100225",
"linkid": "boyd-gaming",
"type": "Breach",
"date": "6/2023",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Limited number of individuals '
                                              '(exact count undisclosed)',
                        'industry': 'Gaming/Hospitality',
                        'location': 'Las Vegas, Nevada, USA',
                        'name': 'Boyd Gaming',
                        'type': 'Public Company'}],
 'data_breach': {'data_exfiltration': 'Yes',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': "High (described as a 'treasure trove' "
                                        'of private information)',
                 'type_of_data_compromised': ['Employee Data',
                                              'Customer Data',
                                              'Personally Identifiable '
                                              'Information (PII)']},
 'date_publicly_disclosed': '2023-09-23',
 'description': 'Boyd Gaming admitted that hackers breached their IT systems '
                'and stole sensitive employee and customer data, leading to '
                'five class-action lawsuits. The breach exposed personal '
                'information, with plaintiffs alleging inadequate '
                'cybersecurity measures. The company acknowledged the incident '
                'in an SEC filing and stated it is cooperating with law '
                'enforcement and cybersecurity experts. Casino operations were '
                'reportedly unaffected, and Boyd believes its cybersecurity '
                'insurance will cover related costs, including lawsuits and '
                'potential fines. The exact timeline, data types stolen, and '
                'whether a ransom was paid remain undisclosed.',
 'impact': {'brand_reputation_impact': 'Negative (multiple class-action '
                                       'lawsuits filed, allegations of '
                                       'inadequate cybersecurity)',
            'customer_complaints': 'Increase in spam calls and phishing texts '
                                   'reported by at least one plaintiff (Scott '
                                   'Levy)',
            'data_compromised': ['Employee Data', 'Customer Data'],
            'identity_theft_risk': 'High (plaintiffs report increased '
                                   'spam/phishing attempts)',
            'legal_liabilities': ['Five class-action lawsuits filed',
                                  'Potential regulatory fines'],
            'operational_impact': 'None (casino operations unaffected)',
            'systems_affected': ['Internal IT Systems']},
 'initial_access_broker': {'high_value_targets': ['Employee Data',
                                                  'Customer Data']},
 'investigation_status': 'Ongoing (with external cybersecurity experts and '
                         'federal law enforcement)',
 'motivation': ['Financial Gain', 'Data Theft'],
 'ransomware': {'data_exfiltration': 'Yes'},
 'references': [{'date_accessed': '2023-09-23',
                 'source': 'SEC Filing by Boyd Gaming'},
                {'source': 'Class-action lawsuits (e.g., Scott Levy v. Boyd '
                           'Gaming)'},
                {'source': 'News reports on Nevada cyber incidents (e.g., MGM '
                           'Resorts, Caesars Entertainment breaches)'}],
 'regulatory_compliance': {'legal_actions': ['Five class-action lawsuits filed '
                                             '(as of reporting)'],
                           'regulatory_notifications': ['SEC filing '
                                                        '(2023-09-23)']},
 'response': {'communication_strategy': ['SEC filing (2023-09-23)',
                                         'No direct notification to all '
                                         'affected individuals (e.g., Scott '
                                         'Levy not notified)'],
              'incident_response_plan_activated': 'Yes (with assistance from '
                                                  'external cybersecurity '
                                                  'experts)',
              'law_enforcement_notified': 'Yes (cooperation with federal law '
                                          'enforcement)',
              'third_party_assistance': 'Yes (leading external cybersecurity '
                                        'experts)'},
 'title': 'Boyd Gaming Data Breach and Class-Action Lawsuits',
 'type': ['Data Breach', 'Unauthorized Access']}