Boyd Gaming Cyberattack Exposes Casino Data Risks

Written by

Share on social media

Boyd Gaming has disclosed a cyberattack in a regulatory filing, confirming unauthorized access to its internal information technology systems. 

The breach involved sensitive employee data and information relating to a limited number of other individuals. The company stated that casino and hotel operations were not affected and that the incident was contained.

Key takeaways:

  • Boyd Gaming cyberattack exposed sensitive employee data
  • Lawsuit filed alleging negligence and inadequate security measures
  • Industry faces increasing threats amid recent high-profile breaches

Cyber Threats Escalate in Gaming

The Boyd Gaming cyberattack adds to a series of breaches, as Caesars Entertainment paid a $15 million ransom following a ransomware attack and MGM Resorts suffered substantial operational disruptions with estimated losses near $100 million.

Industry analysts note that casinos are attractive targets for cybercriminals due to the extensive volumes of personal, financial and transactional data they maintain, covering gaming operations, hospitality services and customer loyalty programs. Their complex IT ecosystems, combining legacy systems with modern cloud solutions, create expansive attack surfaces.

These incidents amplify the mounting regulatory and litigation risks casinos face. Regulators are increasingly scrutinizing cybersecurity protocols, with failure to safeguard data potentially resulting in hefty fines, operational suspensions and reputational damage. The Boyd Gaming cyberattack adds to a concerning pattern, illustrating the legal vulnerabilities that accompany data breaches in the casino industry.

Leading bodies, such as the Global Gaming Cybersecurity Council and the American Gaming Association, recommend adopting a zero-trust security framework — validating every transaction and user regardless of location — given the complex convergence of operational and IT environments.

Boyd Responds Quickly

Boyd Gaming responded swiftly by engaging external cybersecurity experts to investigate the breach and is cooperating with federal law enforcement authorities. The company also confirmed it holds cybersecurity insurance aimed at covering costs related to the investigation, business interruptions, legal liabilities and potential regulatory penalties. Boyd Gaming indicated that the breach is not anticipated to have a material impact on its financial position.

Boyd Gaming is in the process of notifying affected individuals and relevant regulatory bodies as investigations develop. The Boyd Gaming cyberattack highlights escalating cybersecurity risks within casino operations and underscores increasing legal and financial challenges amid growing regulatory scrutiny.

Boyd Gaming Cyberattack Fuels Legal Pressure

Following the announcement of the Boyd Gaming cyberattack, former employee Scott Levy filed a lawsuit against Boyd Gaming. The complaint, lodged in the U.S. District Court in Nevada, alleges negligence and insufficient security measures that allegedly failed to safeguard sensitive personal data, including Social Security numbers. 

Levy’s suit seeks to establish class-action status, representing broader concerns from both employees and customers. The lawsuit asserts claims of negligence, breach of implied contract, unjust enrichment and violations of the Nevada Consumer Fraud Act. 

Boyd Gaming has declined to provide comment on ongoing legal matters apart from disclosures made to the Securities and Exchange Commission.