Off-Strip casino-hotel hit by cyberattack

An off-Strip casino-hotel was the target of a cyberattack earlier this year, a revelation made public in court filings because of a lawsuit in New York involving two parties associated with the Las Vegas property.

OYO Las Vegas hotel-casino suffered a digital breach sometime between Jan. 8 and Jan. 11, allegedly exposing sensitive data of about 4,700 guests, employees and business partners.

OYO Hotels, the India-based hospitality company that owns the Las Vegas hotel-casino, and Highgate Hotels Inc., a New York-based hotel management firm, are presently engaged in several legal disputes over alleged contract violations, including one in New York and another in Delaware, involving multiple properties.

Neither company nor the attorneys listed in court filings responded to requests for comment from the Las Vegas Review-Journal.

According to court filings, the Las Vegas hotel-casino cyberattack was a “data privacy matter” that occurred under Highgate’s management. OYO accuses the hotel operator of “clear negligence” and “failure to assume responsibility” for the attack. The company has since served Highgate with a notice of breach and termination, citing “material and irreparable” violations of its management agreement and “significant financial underperformance” at the property, which sits across Tropicana Avenue from MGM Grand.

The Las Vegas incident surfaced publicly after Highgate filed suit over its dismissal from the OYO Times Square hotel in New York, claiming its August 2025 termination violated state labor laws requiring 90 days’ notice for certain layoffs. OYO, in its defense, pointed to the Las Vegas cyberattack as evidence of “seriously deficient” IT practices.

According to data published by the Maine attorney general’s office, OYO did not officially report the breach until Sept. 18, eight months after cybersecurity site BreachSense.com said the ransomware group LockBit 3.0 leaked 30 gigabytes of company data on the dark web. The compromised information allegedly included personal and financial records, internal financial statements and casino operations documents.

An Oct. 9 letter from Paragon Tropicana Inc., a subsidiary of OYO Las Vegas’ casino operator Paragon Gaming, was sent to potentially affected victims of the digital breach.

Five days later, Crain’s New York Business first reported on the Las Vegas hotel-casino cyberattack while covering the labor dispute in New York City. The disclosure came from a letter penned by an OYO executive to Highgate officials justifying the attempted termination of the Las Vegas operating agreement, which was submitted as evidence in the New York case.

Las Vegas casinos have been targets of cyberattacks in recent years.

This year Las Vegas-based Boyd Gaming Corp. was the victim of a cyberattack where an third party accessed the company’s internal information technology system, according to a public filing with the U.S. Securities and Exchange Commission.The casino company said the cyberattack “has had no impact on the company’s properties or business operations.”

In September 2023, MGM Resorts International suffered a systemwide outage caused by a ransomware group known as Scattered Spider, which disrupted hotel operations, slot machines and digital room keys across multiple properties. Caesars Entertainment disclosed a similar breach the same month, reportedly paying a multimillion-dollar ransom to prevent stolen customer data from being released online.

Contact David Danzis at ddanzis@reviewjournal.com or 702-383-0378. Follow @AC2Vegas_Danzis on X.