Off-strip OYO Las Vegas hotel-casino hit by cyberattack

2025-10-22

Reading time 1:25 min

The OYO Las Vegas hotel-casino was hit by a cyberattack earlier this year that allegedly exposed personal data from about 4,700 guests, employees, and business partners, according to court filings made recently public in a New York lawsuit.

The breach occurred between January 8 and January 11 while the property was managed by Highgate Hotels Inc., a New York-based firm, the Las Vegas Review-Journal reported. OYO Hotels, the India-based owner of the property, accused Highgate of “clear negligence” and failing to take responsibility for the incident.

OYO has since served Highgate with a notice of breach and termination, citing “irreparable” contract violations and poor financial performance at the Las Vegas property, located across Tropicana Avenue from the MGM Grand.

The two firms are presently engaged in several legal disputes over alleged contract violations, including one in New York and another in Delaware, involving multiple properties.

The cyberattack came to light through a separate lawsuit filed by Highgate in New York over its termination from managing OYO Times Square. The company claims its August 2025 termination violated state labor laws requiring 90 days’ notice for certain layoffs. For its part, OYO referenced the Las Vegas breach in its defense, calling it proof of Highgate’s “deficient” IT security practices.

According to the Maine Attorney General’s Office, OYO did not officially report the incident until September 18, eight months after cybersecurity site BreachSense.com said the LockBit 3.0 ransomware group leaked 30 gigabytes of company data on the dark web. The stolen files reportedly included personal and financial information, internal reports, and casino operation documents.

An October 9 letter from Paragon Tropicana Inc., a subsidiary of the casino’s operator Paragon Gaming, was sent to individuals whose data may have been compromised.

The breach was first reported publicly on October 14 by Crain’s New York Business, which obtained the information through the ongoing legal dispute between OYO and Highgate.

The incident adds to a growing number of cyberattacks targeting Las Vegas casinos. Earlier this year, Boyd Gaming Corp. confirmed unauthorized access to its IT systems, while in September 2023, MGM Resorts International and Caesars Entertainment both suffered major ransomware attacks that disrupted operations across the Strip.