An off-Strip Las Vegas casino-hotel was recently revealed to have suffered a cyberattack earlier this year, with the incident coming to light through court filings connected to an ongoing lawsuit in New York between two companies tied to the property.
Oyo Las Vegas experienced a digital breach between January 8 and January 11, reportedly exposing sensitive information belonging to roughly 4,700 guests, employees, and business partners.
Oyo Hotels, the India-based hospitality firm that owns the property, and Highgate Hotels Inc., a New York-based management company, are embroiled in multiple lawsuits in New York and Delaware over alleged contract breaches affecting several hotels. Neither company nor their listed attorneys have commented publicly on the matter.
Court records describe the Oyo Las Vegas breach as a “data privacy matter” that occurred under Highgate’s management. Oyo accuses Highgate of “clear negligence” and “failure to assume responsibility,” claiming “material and irreparable” violations of its management agreement and citing “significant financial underperformance” at the casino-hotel located across from MGM Grand on Tropicana Avenue.
The breach became public knowledge after Highgate sued Oyo over its dismissal from the Oyo Times Square hotel in New York, alleging improper termination under state labor laws. Oyo, in turn, cited the Las Vegas incident as proof of “seriously deficient” IT and cybersecurity practices.
According to data filed with the Maine attorney general’s office, Oyo did not officially report the breach until September 18, eight months after the ransomware group LockBit 3.0 claimed to have leaked 30 gigabytes of the company’s data on the dark web. The stolen files allegedly included personal and financial records, internal financial statements, and casino operations documents.
A letter dated October 9 from Paragon Tropicana Inc., a subsidiary of Oyo Las Vegas’ operator Paragon Gaming, was sent to individuals whose information may have been affected. Days later, Crain’s New York Business first reported the incident, citing court evidence that included an Oyo executive’s letter to Highgate officials justifying the company’s termination of its Las Vegas management agreement.
Las Vegas casinos have faced a series of cyberattacks in recent years. Boyd Gaming Corp. reported a separate incident this year involving unauthorized access to its IT systems, while MGM Resorts International and Caesars Entertainment both suffered major ransomware attacks in 2023, with MGM operations disrupted for days and Caesars reportedly paying a multimillion-dollar ransom to prevent data exposure.
