This year, the OYO Las Vegas hotel-casino was targeted by a cyberattack that reportedly compromised personal information of around 4,700 guests, staff members, and business associates, as detailed in recently disclosed court documents related to a lawsuit in New York.

The data breach took place between January 8 and January 11 while the hotel was under the management of Highgate Hotels Inc., a New York-based company, as reported by the Las Vegas Review-Journal. OYO Hotels, the Indian parent company of the establishment, accused Highgate of “gross negligence” and neglecting its duty regarding the incident.

OYO has subsequently issued a breach and termination notice to Highgate, claiming “irreversible” contract breaches and subpar financial results at the property situated opposite the MGM Grand on Tropicana Avenue.

The two companies are currently involved in various legal conflicts, alleging contract breaches, including cases filed in New York and Delaware concerning multiple properties.

The cyberattack was revealed through a separate legal case initiated by Highgate in New York regarding its termination from managing OYO Times Square. Highgate asserts that its termination in August 2025 breached state labor regulations mandating a 90-day notice before certain layoffs. In its defense, OYO cited the Las Vegas breach as a demonstration of Highgate’s “substandard” IT security measures.

As per the Maine Attorney General’s Office, OYO did not formally announce the breach until September 18, which was eight months after the cybersecurity platform BreachSense.com indicated that the LockBit 3.0 ransomware group had disseminated 30 gigabytes of company data on the dark web. Allegedly, the hacked data included sensitive personal and financial details, internal reports, and documentation on casino operations.

On October 9, a letter was dispatched by Paragon Tropicana Inc., a subsidiary of the casino’s operator, Paragon Gaming, to individuals whose personal information could have been compromised.

The breach’s existence was first publicly noted on October 14 by Crain’s New York Business, which obtained the information amid the ongoing legal tussle between OYO and Highgate.

This incident contributes to a worrying trend of cyber threats targeting Las Vegas casinos. Earlier this year, Boyd Gaming Corp. acknowledged unauthorized infiltration of its IT systems, while in September 2023, both MGM Resorts International and Caesars Entertainment experienced significant ransomware attacks that disrupted operations throughout the Strip.