The OYO Las Vegas hotel-casino suffered a cyberattack between January 8–11, 2024, exposing sensitive data of approximately 4,700 guests, employees, and business partners. The breach, linked to the LockBit 3.0 ransomware group, resulted in 30 GB of leaked data on the dark web, including personal and financial records, internal financial statements, and casino operations documents. The incident was disclosed eight months later (September 2024) via Maine’s attorney general and court filings tied to a legal dispute between OYO Hotels and Highgate Hotels Inc.. The breach was cited as evidence of negligent IT practices, leading to OYO’s termination of Highgate’s management contract. The attack disrupted trust, risked financial fraud, and exposed regulatory non-compliance, with potential long-term reputational and operational damage to the casino-hotel.
TPRM report: https://www.rankiteo.com/company/oyolasvegas
"id": "oyo1462014102225",
"linkid": "oyolasvegas",
"type": "Cyber Attack",
"date": "1/2024",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'customers_affected': '4,700 (guests, employees, and '
'business partners)',
'industry': 'Hospitality/Gaming',
'location': 'Las Vegas, Nevada, USA',
'name': 'OYO Las Vegas Hotel-Casino',
'type': 'Hotel-Casino'},
{'industry': 'Hospitality',
'location': 'India',
'name': 'OYO Hotels (Parent Company)',
'type': 'Hospitality Company'},
{'industry': 'Hospitality',
'location': 'New York, USA',
'name': 'Highgate Hotels Inc.',
'type': 'Hotel Management Firm'},
{'industry': 'Gaming',
'location': 'Las Vegas, Nevada, USA',
'name': 'Paragon Tropicana Inc. (subsidiary of Paragon '
'Gaming)',
'type': 'Casino Operator'}],
'customer_advisories': 'Letter sent to potentially affected victims (Oct. 9, '
'2024)',
'data_breach': {'data_exfiltration': True,
'number_of_records_exposed': '4,700',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal records',
'Financial records',
'Internal financial statements',
'Casino operations documents']},
'date_detected': '2024-01-08',
'date_publicly_disclosed': '2024-09-18',
'description': 'OYO Las Vegas hotel-casino suffered a digital breach between '
'January 8 and January 11, exposing sensitive data of about '
'4,700 guests, employees, and business partners. The breach '
'was linked to alleged negligence by Highgate Hotels Inc., the '
"property's management firm. The ransomware group LockBit 3.0 "
'leaked 30 GB of company data on the dark web, including '
'personal, financial, and operational records. The incident '
'was disclosed publicly in September 2024, eight months after '
'it occurred, amid legal disputes between OYO and Highgate.',
'impact': {'brand_reputation_impact': 'High (public disclosure, legal '
'disputes, media coverage)',
'data_compromised': True,
'identity_theft_risk': 'High (personal and financial records '
'exposed)',
'legal_liabilities': 'Ongoing (lawsuits between OYO and Highgate '
'Hotels Inc.)',
'payment_information_risk': 'High (financial records compromised)'},
'initial_access_broker': {'data_sold_on_dark_web': True,
'high_value_targets': ['Personal data',
'Financial records',
'Casino operations '
'documents']},
'investigation_status': 'Ongoing (legal disputes, no technical details '
'disclosed)',
'motivation': ['Financial Gain', 'Data Theft'],
'post_incident_analysis': {'root_causes': ['Alleged negligence by Highgate '
'Hotels Inc.',
'Deficient IT practices']},
'ransomware': {'data_exfiltration': True, 'ransomware_strain': 'LockBit 3.0'},
'references': [{'source': 'Las Vegas Review-Journal'},
{'source': 'BreachSense.com'},
{'source': 'Maine Attorney General’s Office'},
{'date_accessed': '2024-10-14',
'source': 'Crain’s New York Business'}],
'regulatory_compliance': {'legal_actions': ['Lawsuit between OYO and Highgate '
'Hotels Inc. (New York and '
'Delaware)',
'Notice of breach and termination '
'served by OYO to Highgate'],
'regulatory_notifications': 'Reported to Maine '
'Attorney General’s '
'office (Sept. 18, '
'2024)'},
'response': {'communication_strategy': 'Letter sent to affected individuals '
'(Oct. 9, 2024) by Paragon Tropicana '
'Inc.'},
'stakeholder_advisories': 'Letter from Paragon Tropicana Inc. to affected '
'individuals (Oct. 9, 2024)',
'threat_actor': 'LockBit 3.0 (ransomware group)',
'title': 'Cyberattack on OYO Las Vegas Hotel-Casino Exposes Sensitive Data of '
'4,700 Individuals',
'type': ['Data Breach', 'Ransomware Attack']}