Cybercriminals cash out with casino giant's employee data
(2025/09/24)
- Reference: 1758716572
- News link: https://www.theregister.co.uk/2025/09/24/boyd_gaming_casino_breach/
- Source link:
Hotel and casino operator Boyd Gaming has disclosed a cyberattack to US regulators, warning that hackers may have stolen personal information belonging to employees and other individuals.
The Las Vegas-headquartered revealed Tuesday that attackers breached its tech systems and "removed certain data," though it has not confirmed when the attack occurred or who was responsible.
Boyd Gaming confirmed that the compromised information included data related to employees "and a limited number of other individuals." It has not specified who these additional individuals are or provided details about the types of data stolen.
The meaning of 'limited'
Many data breach disclosures use the word "limited" when describing the impact on individuals' information, but organizations are known to play a little fast and loose with its definition.
For the record, the Oxford dictionary defines it as "restricted in size, amount, or extent; few, small, or short."
One recent example was Aussie telco [1]TPG Telecom saying the impact of a breach at subsidiary iiNet was "limited," and this referred to around 280,000 customers' email addresses.
TransUnion also said "limited personal information" was affected "for a very small percentage of US consumers," in its recent breach disclosure… which [2]affected 4.5 million .
In its [3]Form 8-K filing with the SEC, Boyd Gaming went on to say that it does not expect the costs related to cleanup to have a material impact on its financial condition, primarily due to it holding a "comprehensive cybersecurity insurance policy."
[4]Politicos: 'There is a good strong case for government intervention' on JLR cyberattack
[5]SIM city: Feds say 100,000-card farms could have killed cell towers in NYC
[6]Workers fear for their jobs as JLR's latest shutdown extended
[7]Suspected Iran-backed attackers targeting European aerospace sector with novel malware
This will cover costs associated with bringing in external digital forensics and incident response teams, as well as legal action or regulatory fines. JLR, [8]take note .
Boyd Gaming operates 27 sites across more than 10 US cities, with most located in Las Vegas. A further site is due to open in Norfolk, Virginia, in 2027.
[9]
It employs around 16,000 people and most recently posted annual revenues of $3.9 billion for 2024. ®
Get our [10]Tech Resources
[1] https://www.theregister.com/2025/08/20/tpg_telecom_iinet_breach/
[2] https://www.theregister.com/2025/08/28/transunion_support_app_breach/
[3] https://www.sec.gov/Archives/edgar/data/906553/000119312525213546/d20726d8k.htm
[4] https://www.theregister.com/2025/09/24/uk_politicians_there_is_a/
[5] https://www.theregister.com/2025/09/23/secret_service_sim_bust/
[6] https://www.theregister.com/2025/09/23/jaguar_landrover_shutdown_extended/
[7] https://www.theregister.com/2025/09/23/iran_targeting_european_aerospace/
[8] https://www.theregister.com/2025/09/23/jaguar_landrover_shutdown_extended/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aNQVk1y9Y3No-lg7ZT7Q1gAAAtY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[10] https://whitepapers.theregister.com/
The Las Vegas-headquartered revealed Tuesday that attackers breached its tech systems and "removed certain data," though it has not confirmed when the attack occurred or who was responsible.
Boyd Gaming confirmed that the compromised information included data related to employees "and a limited number of other individuals." It has not specified who these additional individuals are or provided details about the types of data stolen.
The meaning of 'limited'
Many data breach disclosures use the word "limited" when describing the impact on individuals' information, but organizations are known to play a little fast and loose with its definition.
For the record, the Oxford dictionary defines it as "restricted in size, amount, or extent; few, small, or short."
One recent example was Aussie telco [1]TPG Telecom saying the impact of a breach at subsidiary iiNet was "limited," and this referred to around 280,000 customers' email addresses.
TransUnion also said "limited personal information" was affected "for a very small percentage of US consumers," in its recent breach disclosure… which [2]affected 4.5 million .
In its [3]Form 8-K filing with the SEC, Boyd Gaming went on to say that it does not expect the costs related to cleanup to have a material impact on its financial condition, primarily due to it holding a "comprehensive cybersecurity insurance policy."
[4]Politicos: 'There is a good strong case for government intervention' on JLR cyberattack
[5]SIM city: Feds say 100,000-card farms could have killed cell towers in NYC
[6]Workers fear for their jobs as JLR's latest shutdown extended
[7]Suspected Iran-backed attackers targeting European aerospace sector with novel malware
This will cover costs associated with bringing in external digital forensics and incident response teams, as well as legal action or regulatory fines. JLR, [8]take note .
Boyd Gaming operates 27 sites across more than 10 US cities, with most located in Las Vegas. A further site is due to open in Norfolk, Virginia, in 2027.
[9]
It employs around 16,000 people and most recently posted annual revenues of $3.9 billion for 2024. ®
Get our [10]Tech Resources
[1] https://www.theregister.com/2025/08/20/tpg_telecom_iinet_breach/
[2] https://www.theregister.com/2025/08/28/transunion_support_app_breach/
[3] https://www.sec.gov/Archives/edgar/data/906553/000119312525213546/d20726d8k.htm
[4] https://www.theregister.com/2025/09/24/uk_politicians_there_is_a/
[5] https://www.theregister.com/2025/09/23/secret_service_sim_bust/
[6] https://www.theregister.com/2025/09/23/jaguar_landrover_shutdown_extended/
[7] https://www.theregister.com/2025/09/23/iran_targeting_european_aerospace/
[8] https://www.theregister.com/2025/09/23/jaguar_landrover_shutdown_extended/
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aNQVk1y9Y3No-lg7ZT7Q1gAAAtY&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[10] https://whitepapers.theregister.com/
Elongated Muskrat
I struggle to feel sympathy for bad things happening to gambling operators. They're like the parasites that feed on other parasites, and they make ad-slingers like Google look ethical in comparison.
If they lost any of their victims' customers' data, then I hope their fines are heavy, and that they are ordered to pay hefty compensation, personally, to all of those people, whether they are insured against this or not. I also hope their insurance premiums increase substantially.
Of course, there are other criminals at play here, namely those who hacked their systems. Just because their victims are scumbags, doesn't mean that they should be let off lightly.
I think "limited" or "only a few" is best interpreted as "not more than all".