LAS VEGAS (KTNV) — At least 11,000 people could have been affected by a Boyd Gaming cyberattack earlier this year, according to a class-action lawsuit filed last week.
In a September SEC filing, Boyd Gaming officials disclosed they "recently experienced a cybersecurity incident in which an unauthorized third party accessed our internal IT system."
While the company said the incident had no impact on their properties or business operations, they said the third party did access information about employees and a limited number of individuals.
Court records recently obtained by Channel 13 allege that the third party removed personal information, including names, addresses, dates of birth, driver's license information, Social Security numbers, passport numbers, and state ID numbers.
Court documents state that Boyd Gaming officials told the Indiana Attorney General the data breach "injured 11,000 persons — via the exposure of their PII (personal identifying information) — in the data breach." However, the lawsuit states that number could be higher since the company disclosed there are 4,000 class members in Iowa alone and 4,300 class members in Texas alone.
According to the court documents, the cyberattack happened between Sept. 5 and Sept. 7, and customers were notified on Sept. 24.
"These delays and likely inaccuracies in Defendants' notifications likely mean Defendants failed in the most administrative cybersecurity safeguard — a reasonable and tested incident response plan," the lawsuit reads in part.
Several plaintiffs in the case are Nevadans, including two former Boyd Gaming employees who claim their personal information has been used fraudulently since the hack.
Court records state that since September, identity thieves opened a fraudulent credit card account using one employee's information and spent about $5,000. The thieves also used his identity and bank account information to pay for various subscription services, and he was notified of a credit inquiry for a car loan as well as a loan application at Capital One Bank. He also claims to have seen a spike in spam and scam emails.
Another former Boyd Gaming employee from Nevada stated that since the breach, he noticed suspicious activity on his PayPal account with at least three charges for things he didn't purchase. Additionally, he claims he learned his information was published on the dark web.
Other plaintiffs saw similar suspicious charges on their accounts, including one woman who stated someone had signed up for Medicaid benefits in her name and another who said she was added to a credit card account with a $2,500 spending limit.
The lawsuit claims that Boyd Gaming is negligent, should have had proper procedures in place to prevent an incident like this from happening, and hasn't really helped affected customers.
"Defendants have offered some victims credit monitoring and identity-related services. But upon information and belief, such services are wholly insufficient to compensate Plaintiffs and Class Members for the injuries that Defendants inflicted upon them," the complaint states.
We reached out to Boyd Gaming to see if they would like to comment on the lawsuit. On Thursday, a Boyd Gaming official told Channel 13 that per company policy, they do no comment on pending litigation.
As of Monday afternoon, no future court hearings had been scheduled in this case.