Luxury US hotel and casino operator Wynn Resorts is facing a federal class action lawsuit following claims that hacking group ShinyHunters obtained more than 800,000 customer and employee records.

On Saturday plaintiff Richard Reed filed a class‑action complaint in the US District Court for Nevada, accusing Wynn Resorts of failing to properly safeguard customer data.

The lawsuit alleges Wynn Resorts stored the data without encryption and failed to implement adequate cybersecurity measures, including multi-factor authentication and staff security training, which then led to the breach back in September.

The attack only came to light after a ShinyHunters blog post published last Friday, claiming it had stolen over 800,000 Wynn customer records.

The hackers gave the luxury resort giant until Monday this week, before threatening to release the data to the public.

Wynn Resorts later issued a statement on Tuesday saying that an unauthorized third party stole employee data records, but reportedly has deleted them.

What does the lawsuit against Wynn claim?

The complaint makes detailed claims concerning how customer information was handled and how it failed to protect what it describes as “highly sensitive” personal information.

According to the lawsuit, the compromised information may include:

• Name
• Email addresses
• Contact information
• Potential account-related details

The filing also alleges that the data was left unencrypted and unreacted.

“Defendant failed to adequately protect Plaintiff’s and Class Members’ Private Information – and failed to even encrypt or redact this highly sensitive information. This unencrypted, unredacted Private Information was compromised due to Defendant’s negligent and/or careless acts and omissions and its utter failure to protect Plaintiff’s and Class Members’ sensitive data.“

Reed v. Wynn Resorts Limited

The complaint also suggests that the firm could have provided the victims whose data was breached with more details, alleging that Wynn's breach notification letter omitted the attackers' identities, the root cause of the breach, and the remedial steps taken.

Wynn’s response so far

In Wynn Resort's Tuesday statement it said that an unauthorized third party stole employee data records, but reportedly has deleted them.

“We are monitoring and to date have not seen any evidence that the data has been published or otherwise misused.”

Wynn did not state whether it paid a ransom to prevent the data leak.

It also said that while the investigation is ongoing, it would be offering complimentary credit monitoring and identity protection to those affected.

The court filing acknowledges this offer, but says that it’s not enough, arguing that affected customers would need more than the 24 months of identity monitoring on offer due to the fact that most victims of breaches face identity theft and financial fraud for many years.

The lawsuit brings seven counts against Wynn Resorts, including:

• Negligence
• Negligence per se
• Unjust enrichment
• Invasion of privacy
• Breach of fiduciary duty
• Breach of implied contract
• A request for declaratory judgment

Plaintiffs are seeking "compensatory and consequential damages" and "injunctive relief" requiring Wynn Resorts to strengthen its data security systems, mandatory annual security audits, and continued credit monitoring for all class members.

A court hearing has not yet been set.

ShinyHunters' hit list

Threat actor ShinyHunters has been particularly busy this month, carrying out numerous attacks via its signature social-engineering-fueled vishing tactics. Companies to have appeared on its leak site this week include Dutch telecom Odido and its virtual mobile network Ben NL, and CarGurus, an automotive research and shopping marketplace connecting buyers and sellers across the US, Canada, and the UK.

---

Unlock exclusive Cybernews content on YouTube.