Key Moments:
- The OYO Las Vegas hotel-casino experienced a cyberattack between January 8 and January 11, impacting roughly 4,700 individuals.
- OYO Hotels accused Highgate Hotels Inc. of contract breaches and “clear negligence” in managing the incident.
- The breach resulted in leaked personal and financial data, with OYO officially reporting the incident on September 18.
Details of the Cyberattack
The OYO Las Vegas hotel-casino, situated across Tropicana Avenue from the MGM Grand, was the target of a cyberattack earlier this year. According to recently revealed court documents from a New York lawsuit, the breach exposed sensitive information belonging to approximately 4,700 guests, staff, and business partners.
The security incident took place between January 8 and January 11, during which the property was managed by Highgate Hotels Inc., a New York-based management company. OYO Hotels, which owns the property, has since accused Highgate of “clear negligence” and failure to adequately address and assume responsibility for the breach.
OYO Hotel & Casino Las Vegas was hit by a ransomware attack earlier this year that exposed sensitive data from nearly 4,700 guests, employees, and business partners, according to court filings. pic.twitter.com/FLn4E8vcuC
— GGB (@GlobalGamingBiz) October 22, 2025
Escalating Legal Disputes
Following the data breach, OYO served Highgate a notice of breach and contract termination, citing “irreparable” violations and financial underperformance at the Las Vegas hotel-casino. Legal confrontations between the two companies are unfolding in both New York and Delaware, involving several properties beyond Las Vegas.
Breach Disclosure Timeline
OYO reportedly did not notify authorities about the incident until September 18, as stated by the Maine Attorney General’s Office. Eight months prior, cybersecurity platform BreachSense.com had indicated that the LockBit 3.0 ransomware group released 30 gigabytes of OYO’s data on the dark web. These files allegedly included personal and financial records, internal documentation, and sensitive casino operations information.
On October 9, Paragon Tropicana Inc., a unit of Paragon Gaming and the casino’s operator, sent notification letters to people whose data may have been compromised. The breach’s public disclosure came on October 14 when Crain’s New York Business reported on the situation using information from the ongoing OYO and Highgate lawsuit.
Broader Impact on Las Vegas Casino Industry
This incident highlights the increasing frequency of cyberattacks against Las Vegas casinos. Earlier this year, Boyd Gaming Corp. confirmed an unauthorized access event affecting its IT infrastructure. In September 2023, both MGM Resorts International and Caesars Entertainment suffered significant ransomware attacks that disrupted operations on the Las Vegas Strip.
| Event | Date | Affected Parties |
|---|---|---|
| OYO Las Vegas Cyberattack | January 8 – January 11 | Guests, Employees, Business Partners (approximately 4,700) |
| Breach Reported to Authorities | September 18 | Maine Attorney General’s Office |
| Public Disclosure | October 14 | General Public via Crain’s New York Business |
- Author
Daniel Williams
