Wynn Resorts has become the latest victim of a cyberattack, referred to as a "cyber incident" under Nevada's newly updated regulations. The attack, attributed to a cybercrime group named ShinyHunters, involved roughly 800,000 records containing sensitive employee information, which were reportedly deleted by the attackers.
Wynn stated that this incident marks its first attack following the implementation of the new protocols, although the Nevada Gaming Control Board has not confirmed if this is indeed the first case reported under the updated rules. According to The Register, the attack was claimed on February 20, with a ransom demand of $1.5 million set for a deadline on the following Monday. In a statement on Tuesday, Wynn acknowledged the attack but did not disclose whether it paid the ransom.
“We have learned that an unauthorized third party acquired certain employee data,” Wynn said. “Upon discovery, we immediately activated our incident response protocols and launched a thorough investigation with the help of external cybersecurity experts.” The company further noted that the hacker claimed the stolen data was deleted and stated it has seen no evidence that the data has been misused or published elsewhere.
Concerns around cybersecurity have been prominent among Las Vegas operators, with Caesars, MGM, and Boyd having reported similar incidents in recent years. In response, Nevada regulators approved a series of amendments to cybersecurity reporting rules this year, which stress the importance of transparency from licensed operators. The amendments require swifter reporting of incidents, although industry representatives highlight the growing difficulty of assessing the rising number of cyber threats.
As a consequence of the cyberattack, Wynn is facing two federal lawsuits. The first, filed by Richard Reed, a California resident and Wynn customer, seeks class-action status over claims of negligent information handling, focusing on the release of employee data rather than customer data. The second lawsuit, from former employee Drake Maynard, also pursues class-action status for employees alleging the company's lack of adequate data security measures. While the lawsuits do not specify a damage amount, both claim damages exceeding $5 million and were filed in US District Court in Las Vegas. Wynn has not publicly commented on the lawsuits but confirmed that it is offering credit and identity theft services to affected employees.
Despite acknowledging the inherent risks, Wynn stated, “While no company can ever eliminate the risk of a cyberattack, we are taking appropriate steps and working with industry-leading third-party IT advisors to strengthen our systems to protect against future incidents.” The company has been proactive about potential cyber threats, having discussed its vulnerabilities in its 2024 annual report to the Securities and Exchange Commission.
“Despite the security measures we currently have in place, our facilities and systems… may be vulnerable to security breaches, acts of vandalism, phishing attacks, computer viruses, worms, ransomware, malicious software programmes, misplaced or lost data, programming or human errors and other events,” Wynn explained in its SEC filing.
The gaming industry in Las Vegas has become a target for cybercrime. A recent UNLV study revealed over 50 confirmed cyber incidents involving Nevada gaming companies from 2007 to 2023, with a notable increase in incidents over the last ten years. Researchers stated, “Casinos are opportunistic targets because they have an extensive array of cyber entry points, have lots of money, and the public outcry is less conspicuous when they are attacked.” The outdated technology used by much of the gaming industry further exacerbates this vulnerability.
During a workshop in December, Nevada Gaming Control Board Chair Mike Dreitzer noted a "misalignment" between old rules and current best practices. Previously, licensees had a 72-hour window to report incidents; now, the updated regulations necessitate that incidents be reported within 24 hours of activating their cybersecurity incident response plans. This was deemed essential for improved communications, even if it may lead to a higher number of false alarms.
MGM Resorts and Caesars Entertainment suffered significant attacks in 2023, attributed to the “Scattered Spider” hacker group, that garnered national media attention. Caesars confirmed paying a $15 million ransom, while MGM incurred approximately $100 million in losses due to system outages. In September, the Las Vegas Metropolitan Police Department arrested a teenager in connection with the incidents on charges related to identity theft and extortion. Another suspect was apprehended in Walsall, England, linked to the same attacks. MGM expressed its commitment to working with law enforcement, stating, “By voluntarily shutting down our systems, refusing to pay a ransom and working with law enforcement on their investigation and response, the message to criminals was clear: it’s not worth it.”
