An off-Strip casino hotel was the target of a cyberattack earlier this year, a disclosure made public in court filings stemming from a New York lawsuit involving two parties associated with the Las Vegas property.
The OYO Las Vegas hotel-casino suffered a digital breach sometime between January 8 and January 11, allegedly exposing sensitive information about approximately 4,700 guests, employees and business partners.
OYO Hotels, the India-based hospitality company that owns the Las Vegas hotel casino, and Highgate Hotels Inc., a New York-based hotel company, are currently engaged in several legal disputes over alleged breach of contract, including one in New York and another in Delaware, involving multiple properties.
Neither the company nor the attorneys listed in the court filings responded to requests for comment from the Las Vegas Review-Journal.
According to court documents, the Las Vegas hotel-casino cyberattack was a “data privacy matter” that occurred under Highgate’s direction. OYO accuses the hotel operator of “manifest negligence” and “failure to take responsibility” for the attack. The company has since served Highgate with a cease and desist notice, citing “material and irreparable” violations of its management agreement and “significant financial underperformance” at the property, which is across Tropicana Avenue from the MGM Grand.
The Las Vegas incident became public after Highgate filed a lawsuit over its dismissal from the OYO Times Square hotel in New York, claiming that its August 2025 termination violated state labor laws that require 90 days’ notice for certain layoffs. OYO, in its defense, pointed to the cyber attack in Las Vegas as evidence of “severely deficient” IT practices.
According to records released by the Maine Attorney General’s Office, OYO did not officially report the breach until Sept. 18, eight months after cybersecurity site BreachSense.com said the LockBit 3.0 ransomware group leaked 30 gigabytes of company data onto the dark web. The compromised information allegedly included personal and financial data, internal financial reports and documents about casino operations.
An Oct. 9 letter from Paragon Tropicana Inc., a subsidiary of OYO Las Vegas casino operator Paragon Gaming, was sent to potentially affected victims of the digital breach.
Five days later, Crain’s New York Business first reported on the cyberattack on the Las Vegas hotel and casino while covering the labor dispute in New York City. The revelation came from a letter written by an OYO executive to Highgate officials justifying the attempt to terminate the Las Vegas deal, which was submitted as evidence in the New York case.
Las Vegas casinos have been the target of cyber attacks in recent years.
This year, Las Vegas-based Boyd Gaming Corp. victim of a cyber attack in which a third party gained access to the company’s internal information technology systems, according to a public filing with the US Securities and Exchange Commission. The casino company said the cyberattack “has not had any impact on the company’s properties or business.”
In September 2023, MGM Resorts International suffered a system-wide outage caused by a ransomware group known as Scattered Spider, which disrupted hotel operations, gaming machines and digital room keys at multiple properties. Caesars Entertainment disclosed a similar breach the same month and reportedly paid a multimillion-dollar ransom to prevent stolen customer data from being released online.
Contact David Danzis at ddanzis@ theplayerlounge.com or 702-383-0378. Follow @AC2Vegas_Danzis on X.
