Off-Strip OYO Las Vegas Targeted by Cyberattack, Lawsuit Reveals

^{The cyberattack on OYO Las Vegas adds to a growing list of cybersecurity incidents affecting casinos of all sizes across the U.S. (Photo: Barry King / Alamy)}

The OYO Las Vegas Hotel and Casino, located just off the Las Vegas Strip, suffered a cyberattack earlier this year that exposed sensitive data belonging to around 4,700 guests, employees, and business partners, according to court filings in New York.

The breach, which occurred between Jan. 8 and Jan. 11, was revealed as part of a lawsuit between OYO Hotels and Highgate Hotels Inc., a hotel management firm.

OYO Accuses Management Firm of ‘Clear Negligence’

In court filings, OYO accused Highgate of “clear negligence” and “failure to assume responsibility” for the cyberattack. The company has since issued a notice of breach and termination to Highgate for alleged violations of their management agreement. 

Highgate filed suit after being dismissed as the management firm for the OYO Times Square hotel in New York. OYO then provided evidence of the cyberattack in Las Vegas as justification for terminating the operating agreement for the Las Vegas hotel. In a letter from an OYO executive to Highgate officials, the company commented that the breach showed “seriously deficient” IT practices by Highgate.

According to a Las Vegas Review-Journal report, OYO did not report the data breach until on September 18, more than eight months after it occurred. On October 9, Paragon Tropicana – a subsidiary of Paragon Gaming – sent letters to those affected by cyberattack alerting them of the situation.

Cybersecurity firm Breachsense reported that a hacker group known as LockBit 3.0 claimed responsbility for the attack. The group leaked 30 gigabytes of data, including personal and company records, casino operations files, and internal financial statements.

Casino Companies Small and Large Face Cybersecurity Concerns

The data breach at an OYO property shows that cybersecurity threats are affecting not only major casino corporations but also smaller operators. However, it’s the attacks on major properties that have drawn the most dramatic headlines over the past few years.

Famously, a September 2023 hack cost MGM Resorts International about $100 million in various expenses and negative impacts after virtually shutting down operations at properties in Las Vegas and elsewhere. Caesars Entertainment was also targeted in that same attack, reportedly paying about $15 million in ransom to regain access to its systems. 

Even Boyd Gaming acknowledged earlier this year that hackers gained access to its IT systems, though the company confirmed that there was no impact on its operations or guest data.

Smaller casino properties have suffered breaches of their systems as well. In early 2025, Kewadin Casinos was forced to shut down its properties in Michigan’s Upper Peninsula following a ransomware attack. In June 2025, Olympic Gaming, which operates two properties in Las Vegas, said it was targeted by a cyberattack, though the properties remained open while working with external cybersecurity experts to resume normal operations.