Chavdar Vasilev is a journalist covering the casino and sports betting market sectors for CasinoBeats. He joined CasinoBeats in May 2025 and reports on industry-shaping stories across the US and beyond, including legislative debates, market...
Read Full BioBoyd Gaming is facing growing legal troubles after confirming in late September that a cyberattack compromised employee and other personal data. The breach, although not disrupting operations, according to the company, has sparked several lawsuits and class-action investigations targeting the operator’s data security practices.
The Breach: What Happened
On September 23, 2025, Boyd Gaming filed an 8-K with the US Securities and Exchange Commission (SEC), revealing that it had “…recently experienced a cybersecurity incident in which an unauthorized third party accessed our internal IT system.”
According to the company, the stolen data includes information about its employees and a “limited number of other individuals.” Boyd said it sent a notification to those whose data may have been affected. The company also notified the relevant authorities.
Boyd emphasized that the incident did not affect its casino or hotel operations. Also, it stated that it does not expect the breach to cause a material impact on its financial health or business results.
The company also disclosed that it has a “comprehensive cybersecurity insurance policy.” It expects the policy to cover costs, including forensics, legal actions, and regulatory fines (subject to policy limits).
Still, the exact timing, duration, response time, and full scope of the breach remain unclear. The company states that it is working with external cybersecurity experts and federal law enforcement to investigate the issue.
Lawsuits Pile Up Against Boyd
Just days after the revelation of the cyberattack, Scott Levy, a former Boyd employee, filed a lawsuit in the US District Court in Nevada. Levy accuses Boyd of negligence, breach of implied contract, unjust enrichment, and violation of the Nevada Consumer Fraud Act.
It alleges the company failed to implement reasonable cybersecurity measures. Also, the stolen data may include sensitive identifiers such as Social Security numbers.
Levy seeks to create a class action through a declaratory judgment. His attorneys argue that Boyd’s admission that an “unauthorized third party removed certain data” indicates that the information was not merely accessed but stolen. Therefore, that increases the risk of identity theft and financial fraud.
Less than a week after Boyd informed the SEC of the data breach, three law firms —Markovits, Stock & DeMarco, and Strauss Borrelli PLLC —filed four additional lawsuits on behalf of plaintiffs residing in Las Vegas, Texas, Louisiana, and Ohio.
The four lawsuits also seek to establish a class action involving thousands of Boyd Gaming employees, former employees, and customers.
Consumer advocates note that, as with previous casino breaches, the sheer size of Boyd’s nationwide employer base could significantly expand the pool of potential plaintiffs.
Industry Context: Pattern of Cyber Vulnerabilities
Boyd’s situation highlights the casino industry’s vulnerability to cyberattacks, where data theft is increasingly resulting in multimillion-dollar legal settlements.
- Bragg Gaming (August 2025): Just weeks before the Boyd disclosure, Bragg Gaming confirmed a cybersecurity incident affecting its IT systems. The company insisted that the cyberattack had no impact on its operations. Also, there were no indications of compromised personal information. Bragg claims it took immediate action to mitigate any potential impact. The company stated it had recruited independent cybersecurity experts to assist in addressing the matter.
- PaddyPower & Betfair (July 2025): In July, Flutter Entertainment, the parent company of FanDuel, sent emails to customers stating that it had suffered a cyberattack that compromised client data on its platforms, Paddy Power and Betfair. It claimed the breach was limited to basic betting account details. They include clients’ usernames, email addresses, and limited contact information, “including customers’ names and the first lines of their addresses and city.”
- Caesars & MGM (2023): Two years earlier, both Caesars Entertainment and MGM Resorts suffered high-profile breaches. Caesars acknowledged paying roughly $15 million to hackers after attackers accessed its loyalty program database. MGM Resorts endured a more disruptive attack, with slot machines, hotel check-ins, and reservation systems knocked offline for days. The fallout resulted in an estimated $100 million hit to MGM’s profits and multiple lawsuits. In early 2025, MGM agreed to a $45 million settlement to resolve data-breach litigation.
These cases demonstrate that gambling operators are a prime target for cybercriminals. Often, lawsuits follow quickly, resulting in these companies paying settlements in the tens of millions of dollars.
Boyd now faces the same cycle of scrutiny and litigation that engulfed its rivals, setting the stage for a prolonged legal battle.
