Boyd Gaming Corporation, a major casino and entertainment company headquartered in Las Vegas, has become the latest high-profile target of cybercriminals. The company revealed in a filing with the U.S. Securities and Exchange Commission (SEC) on September 23, 2025, that its internal systems had been breached, allowing unauthorized actors to steal confidential data.

While Boyd has not disclosed the full scope of the information taken, the company acknowledged that details about employees and “a limited number of other individuals” were removed from its systems. Though casino and hotel operations remained unaffected, the disclosure has drawn significant scrutiny, particularly as companies in the gaming sector have faced escalating cyberattacks in recent years.

The filing noted that once the intrusion was detected, Boyd immediately enlisted “leading external cybersecurity experts” and worked with federal law enforcement. The company said it holds cybersecurity insurance designed to offset expenses tied to investigations, business disruptions, legal costs, and potential regulatory penalties. Boyd further stated that it does not expect the incident to have a “material adverse effect” on its financial standing or overall operations.

Former Employee Files Lawsuit Alleging Negligence

The company is now facing legal action from Scott Levy, a former Boyd Gaming employee residing in Las Vegas, who filed a lawsuit in U.S. District Court in Nevada. Levy’s complaint, which he hopes to expand into a class action, claims Boyd failed to implement adequate safeguards to prevent the theft of personal data, including Social Security numbers and other sensitive employee and customer records.

The lawsuit argues that Boyd effectively admitted the severity of the breach. As stated in the filing, “Defendant employed ‘leading external cybersecurity experts’ and determined that ‘the unauthorized third party removed certain data from (defendant’s) IT systems, including information about employees and a limited number of other individuals.’” Levy emphasized that Boyd’s acknowledgment confirmed that personal data was stolen—not simply viewed—and that the company’s security measures were “completely inadequate.”

Levy’s lawsuit accuses Boyd of negligence, breach of implied contract, unjust enrichment, and violations of the Nevada Consumer Fraud Act. He is seeking a jury trial and hopes the court will certify the case as a class action, potentially opening the door for other affected employees and customers to join. Boyd Gaming has declined to comment on ongoing litigation beyond its official SEC disclosure.

Casino Industry Remains a Target for Hackers

Boyd Gaming’s data breach places it alongside other major Nevada casino operators that have suffered damaging cyber incidents in recent years. Caesars Entertainment admitted in 2023 that it paid hackers $15 million after its systems were compromised, while MGM Resorts International endured nine days of major operational disruption from a ransomware attack the same year. MGM later reported estimated losses of about $100 million.

Both incidents were tied to the hacking group known as “Scattered Spider,” which authorities believe was behind a series of coordinated attacks on casinos. Recently, law enforcement in Las Vegas announced the arrest of a teenager suspected of participating in some of those attacks, calling the operation a “sophisticated cyber crime.”

Cybersecurity analysts note that casinos are particularly appealing targets due to their vast troves of personal, financial, and transactional information. With operations spanning gaming, hospitality, and loyalty programs, these businesses present multiple vulnerabilities for malicious actors to exploit.

Ongoing Investigations and Next Steps

Boyd Gaming, which operates 11 casinos in the Las Vegas Valley and nearly a dozen more properties across 10 states, is continuing to notify individuals whose information may have been compromised. Regulators and government agencies are also being contacted as the investigation unfolds.

Although the full extent of the breach remains unclear, the lawsuit highlights the growing legal and financial risks companies face when personal data is exposed. For employees and customers impacted, the possibility of fraud or identity theft looms large, and attorneys are encouraging anyone who received a notice from Boyd Gaming to consider legal action.

As the case progresses, Boyd Gaming joins a growing list of casino operators learning firsthand the costly consequences of cybercrime. With lawsuits pending and regulatory scrutiny mounting, the company’s handling of this breach will likely serve as a critical test of accountability in an industry under increasing digital threat.