The OYO Las Vegas hotel-casino suffered a cyberattack between January 8–11, 2025, exposing personal and financial data of ~4,700 guests, employees, and business partners. The LockBit 3.0 ransomware group leaked 30GB of sensitive data including internal reports, casino operations documents, and financial records on the dark web after an eight-month delay in official reporting (reported to Maine AG only on September 18, 2025). The breach occurred under Highgate Hotels Inc.’s management, leading to legal disputes over negligence, contract violations, and termination notices. OYO accused Highgate of ‘deficient’ IT security, while Highgate countered with labor law violations in a separate lawsuit. The incident aligns with a broader trend of ransomware attacks on Las Vegas casinos, following similar breaches at MGM Resorts, Caesars Entertainment, and Boyd Gaming in prior years. The leaked data’s scope suggests severe reputational, financial, and operational risks, compounded by regulatory scrutiny and ongoing litigation.
TPRM report: https://www.rankiteo.com/company/oyolasvegas
"id": "oyo4792047102225",
"linkid": "oyolasvegas",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '4,700 (guests, employees, and '
'business partners)',
'industry': 'Hospitality & Gaming',
'location': 'Las Vegas, Nevada, USA',
'name': 'OYO Las Vegas Hotel-Casino',
'type': 'Hotel-Casino'},
{'industry': 'Hospitality',
'location': 'New York, USA',
'name': 'Highgate Hotels Inc.',
'type': 'Hotel Management Company'},
{'industry': 'Hospitality',
'location': 'India (HQ), Global Operations',
'name': 'OYO Hotels',
'type': 'Hotel Chain Owner'},
{'industry': 'Gaming',
'location': 'Las Vegas, Nevada, USA',
'name': 'Paragon Tropicana Inc. (subsidiary of Paragon '
'Gaming)',
'type': 'Casino Operator'}],
'data_breach': {'data_exfiltration': 'Yes (30 GB of data leaked on dark web)',
'number_of_records_exposed': '4,700',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Data',
'Financial Information',
'Internal Reports',
'Casino Operation Documents']},
'date_detected': '2025-01-11',
'date_publicly_disclosed': '2025-10-14',
'description': 'The OYO Las Vegas hotel-casino suffered a cyberattack between '
'January 8 and January 11, 2025, allegedly exposing personal '
'data from about 4,700 guests, employees, and business '
'partners. The breach was linked to the LockBit 3.0 ransomware '
'group, which leaked 30 GB of company data on the dark web, '
'including personal, financial, and operational documents. The '
'incident led to legal disputes between OYO Hotels and '
'Highgate Hotels Inc., the property manager at the time, with '
'OYO accusing Highgate of negligence and deficient IT security '
'practices. The breach was publicly disclosed in October 2025, '
'eight months after the initial leak, and follows a pattern of '
'cyberattacks targeting Las Vegas casinos.',
'impact': {'brand_reputation_impact': 'High (legal disputes, public '
'disclosure of breach, association with '
'ransomware group)',
'data_compromised': ['Personal Data',
'Financial Information',
'Internal Reports',
'Casino Operation Documents'],
'identity_theft_risk': 'High (personal data of 4,700 individuals '
'exposed)',
'legal_liabilities': ['Ongoing lawsuits between OYO and Highgate',
'Potential regulatory fines for delayed '
'disclosure'],
'payment_information_risk': 'High (financial information included '
'in leaked data)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (30 GB of data leaked '
'by LockBit 3.0)',
'high_value_targets': ['Personal Data',
'Financial Information',
'Casino Operation '
'Documents']},
'investigation_status': 'Ongoing (legal disputes, no technical investigation '
'details disclosed)',
'motivation': ['Financial Gain', 'Data Theft'],
'post_incident_analysis': {'root_causes': ['Alleged negligence by Highgate '
'Hotels Inc.',
'Deficient IT security practices']},
'ransomware': {'data_exfiltration': 'Yes (30 GB of data)',
'ransomware_strain': 'LockBit 3.0'},
'references': [{'source': 'Las Vegas Review-Journal'},
{'date_accessed': '2025-10-14',
'source': 'Crain’s New York Business'},
{'source': 'Maine Attorney General’s Office'},
{'source': 'BreachSense.com'},
{'date_accessed': '2025-10-09',
'source': 'Paragon Tropicana Inc. Letter to Affected '
'Individuals'}],
'regulatory_compliance': {'legal_actions': ['Ongoing lawsuits between OYO and '
'Highgate in New York and '
'Delaware',
'Potential class-action or '
'regulatory lawsuits from '
'affected individuals'],
'regulations_violated': ['Potential violations of '
'state data breach '
'notification laws (e.g., '
'Maine, New York)'],
'regulatory_notifications': ['Maine Attorney '
'General’s Office '
'(reported on '
'September 18, 2025)']},
'response': {'communication_strategy': ['Letter to affected individuals '
'(October 9, 2025)',
'Public disclosure via media (October '
'14, 2025)']},
'stakeholder_advisories': ['Letter from Paragon Tropicana Inc. to affected '
'individuals (October 9, 2025)'],
'threat_actor': 'LockBit 3.0 ransomware group',
'title': 'Cyberattack on OYO Las Vegas Hotel-Casino Exposes Personal Data of '
'4,700 Individuals',
'type': ['Data Breach', 'Ransomware Attack']}