An SEC filing revealed a cybersecurity attack against Boyd Gaming Corporation, leading to a lawsuit filed by a former employee of the gaming and hospitality giant.
Former Boyd Gaming employee Scott Levy filed a class action complaint in the U.S. District Court for the District of Nevada against Boyd Gaming after the company experienced a data breach in September 2025. Levy is taking action against Boyd Gaming for failing to prevent the data breach and exposing the “personally identifiable information” of current and former employees. The information included social security numbers.
Levy also accuses Boyd Gaming of failing to notify class members of the lawsuit about the data breach since the issue was only raised in an SEC filing by the Las Vegas-based company. In the filing, Boyd Gaming disclosed a “cybersecurity incident” caused by a third party. The incident involved unauthorized access to Boyd Gaming’s internal IT system.
“The exposure of one’s PII [personally identifiable information] to cybercriminals is a bell that cannot be unrung,” said Levy’s attorneys in the complaint. “Before the data breach, the private information of plaintiff and the class was exactly that—private. Not anymore. Now, their private information is permanently exposed and unsecure.”
In the suit, class members include data breach victims who are current or former Boyd Gaming employees. The class also includes customers impacted by the incident. Levy is a former Boyd Gaming employee who was with the company from April 2022 to May 2024.
Boyd Gaming conducts business as usual
Boyd Gaming claimed in the SEC filing that the data breach had no impact on the “company’s properties of business operations.” As of Oct. 1, Boyd operated 28 gaming properties across 10 states and also owns a B2B and B2C online casino business.
“The company [Boyd Gaming] believes that the incident will not have a material adverse effect on the company’s financial condition or results of operations,” says the SEC filing.
Boyd Gaming also claimed it responded to the data breach with the help of cybersecurity experts and under the oversight of federal law enforcement. The experts found the third-party hackers removed “certain data” from Boyd Gaming’s IT systems. Boyd Gaming claims in the SEC filing that it is notifying impacted individuals of the data breach. Boyd Gaming also “has or will notify its various regulators” and other governmental agencies.
Alleged lack of protections by Boyd Gaming
Levy accuses Boyd Gaming of negligence, breach of implied contract, unjust enrichment and violating the Nevada Consumer Fraud Act. The complaint claims the data breach occurred because Boyd Gaming “failed to adequately train its employees on cybersecurity” and failed to properly monitor the handling of personal information by its agents, vendors and suppliers. Boyd Gaming also allegedly refused to inform its customers, as well as current and former employees, about the number of people affected by the data breach.
Levy claims Boyd Gaming should have had more cybersecurity protections following a private industry notification issued by the FBI in November 2023 warning casinos about ransomware attacks and security vulnerabilities impacting the gaming industry.
The notification was issued following cyberattacks at MGM Resorts International and Caesars Entertainment properties. According to an SEC filing from October 2023, MGM Resorts lost roughly $100 million behind a cyberattack that occurred one month prior.
Ainsworth, IGT and Bragg Gaming Group also recently reported cybersecurity attacks.
Boyd Gaming’s data breach also allegedly led to an influx of spam and phishing texts and phone calls for Levy behind the exposure of his personal information. As a result, Levy claims he suffered actual injury and impending injury due to the data breach that was sparked by Boyd Gaming’s failure to follow industry standards and government guidelines.
Levy and others similarity situated are seeking damages for emotional distress and time and resources allocated toward handing the aftermath of Boyd Gaming’s data breach.
Boyd Gaming is offering free credit monitoring and identity theft protection to impacted individuals in light of the lawsuit. The impacted individuals could reach thousands.
In addition to the lawsuit filed by Levy, Boyd Gaming is facing four additional lawsuits. The lawsuits, filed by three different attorneys, also propose a class action over the data breach. The defendants in the suits are from Las Vegas, Ohio, Louisiana and Texas.
SBC Americas reached out to Boyd for comment on the story but has not received a response at time of publication.
