Boyd Gaming hit with four new lawsuits following reported data breach in September

Boyd Gaming Corp. faces multiple class-action lawsuits in the US District Court in Nevada following a September cyberattack that exposed personal information belonging to employees and customers.

The cases could draw new attention to cybersecurity reporting and compliance practices across the gaming industry.

Four lawsuits were filed last week by three separate attorneys, joining an earlier case submitted earlier in the month by former Boyd employee and Las Vegas resident Scott Levy. Each complaint seeks class-action status to represent thousands of current and former employees and customers whose data may have been compromised.

Boyd’s SEC disclosure

In a filing with the Securities and Exchange Commission on September 23, Boyd Gaming stated that cyberattackers removed certain information from its systems, including employee records and data from “a limited number of other individuals.” The company said it had begun notifying affected individuals and would inform regulators and government agencies as required.

Boyd Gaming operates 11 casinos in the Las Vegas Valley, including three downtown properties. It also manages 17 additional gaming venues across 10 US states and oversees a tribal casino in California.

Allegations and plaintiffs

The lawsuits were filed by residents of Nevada, Texas, Louisiana, and Ohio. Plaintiffs allege that Boyd failed to maintain reasonable safeguards to prevent unauthorized access to personal information and delayed notifying victims after discovering the breach.

One complaint states the unauthorized activity occurred between September 5 and September 7, though Boyd has not confirmed the exact dates. The company has also not indicated whether a ransom was paid to regain access to its systems.

Deandric Price complaint

Las Vegas resident Deandric Price filed a three-count complaint alleging negligence, breach of implied contract, and breach of the implied covenant of good faith and fair dealing. Price’s filing claims Boyd was aware of the breach before reporting it to regulators.

“While defendant claims to have discovered the breach as early as September 6, defendant did not begin informing victims of the data breach until much later and failed to inform victims when or for how long the data breach occurred,” the complaint says. Price is represented by David Wise of the Wise Law Firm in Reno.

Sherekia Price complaint

Louisiana resident Sherekia Price, represented by Matthew Knepper of Knepper Litigation LLC in Las Vegas, filed a separate lawsuit accusing Boyd of negligence. Her complaint alleges that the breach “impacted several thousand individuals.” Boyd operates five casinos and racinos in Louisiana.

Larry Harris complaint

Texas resident Larry Harris brought a seven-count action that includes negligence, negligence per se, unjust enrichment, invasion of privacy, breach of fiduciary duty, breach of implied contract, and a request for declaratory judgment. The lawsuit alleges Boyd “intentionally, willfully, recklessly or negligently” failed to implement and maintain reasonable measures to secure personal data.

According to the complaint, “Through its investigation, defendant determined that unauthorized activity began September 5 and September 7.” Harris is also represented by Wise.

Patricia Tiedtke complaint

The fourth lawsuit was filed by Cincinnati resident Patricia Tiedtke, who said she had no known connection to Boyd as a customer or employee. Boyd operates Belterra Park Cincinnati in her city.

The complaint claims the company “has intentionally obfuscated the nature of the breach and the threat it posed — how the breach happened and why the defendant continues to delay notifying victims the full extent that hackers had gained access.”

Tiedtke’s two-count filing accuses Boyd of negligence, negligence per se, and invasion of privacy. She is represented by Nathan Ring of Stranch, Jennings & Garvey in Las Vegas, which also represents Levy in the earlier case.

Compliance implications

The lawsuits come as US gaming operators face growing scrutiny over data security and incident disclosure requirements. Regulators, including the SEC, have required publicly traded companies to report material cybersecurity incidents promptly and detail their risk management processes.

While Boyd Gaming has not released figures on the number of affected individuals, the outcomes of these cases may influence how casino operators address cybersecurity obligations and protect sensitive employee and customer data in the future.