Wynn Resorts takes attacker's word for it that stolen staff data was deleted
(2026/02/25)
- Reference: 1772023146
- News link: https://www.theregister.co.uk/2026/02/25/wynn_resorts_shinyhunters/
- Source link:
Wynn Resorts has confirmed that employee data was stolen from its servers, and is taking the hackers' word that they've since deleted it.
For anyone familiar with how extortion typically plays out, that's a bold leap of faith. However, Wynn appears satisfied enough to include the assurance in its first official statement since prolific cybercrime crew [1]ShinyHunters claimed credit for the attack last week .
"We have learned that an unauthorized third party acquired certain employee data," a Wynn Resorts spokesperson told The Register . "Upon discovery, we immediately activated our incident response protocols and launched a thorough investigation with the help of external cybersecurity experts.
[2]
"The unauthorized third party has stated that the stolen data has been deleted. We are monitoring and to date have not seen any evidence that the data has been published or otherwise misused."
[3]
[4]
As noted by Dray Agha, senior manager of security operations at Huntress, when miscreants "confirm" they have deleted stolen data, it suggests a ransom may have been paid, although Wynn declined to comment.
"Trusting cybercriminals is inherently flawed; there is no honour among thieves," Agha told The Register . "There is absolutely no reliable way to verify that an extortionist has permanently deleted stolen data. Copies are frequently retained, shared, or sold months down the line."
[5]
He added: "An attacker providing an assurance of deletion is a classic hallmark of a completed extortion negotiation. In the business model of modern cybercrime, 'deletion' is exactly the service these cartels claim to provide once their financial demands have been met."
Wynn Resorts, which runs a line of luxury hotels across the world, told us the attack had no impact on its operations or guest stays.
It's also offering free credit monitoring and identity protection to all employees, and in typical post-breach verbiage assured that data security "is our top priority."
[6]
Agha said that Wynn's decision to offer credit monitoring to employees shows how little anyone can trust the word of a cybercriminal.
"Wynn's decision to offer credit monitoring to employees is a necessary and prudent move, as it acknowledges that a threat actor's 'promise' holds zero actual security value," he said. "We cannot definitively confirm a ransom was paid without explicit confirmation from Wynn."
Regular readers may recall the [7]LockBit leaks of 2024, and how the UK's National Crime Agency (NCA) attempted to undermine the reputation of the ransomware operation at the time.
[8]ShinyHunters demands $1.5M not to leak Vegas casino and resort chain data
[9]ShinyHunters claims it drove off with 1.7M CarGurus records
[10]Canada Goose ruffles feathers over 600K record dump, says leak is old news
[11]ShinyHunters swipes right on 10M records in alleged dating app data grab
In [12]turning the gang's leak site against it , exposing its inner secrets, the NCA confirmed a long-held suspicion among security practitioners that cybercriminals don't delete data even after a ransom is paid.
"While no company can ever eliminate the risk of a cyberattack, we are taking appropriate steps and working with industry-leading third-party IT advisors to strengthen our systems to protect against future incidents," Wynn's statement concluded.
ShinyHunters claimed the attack against Wynn on February 20. As we reported at the time, a sample of the stolen data shared with The Register appeared legitimate and included full names, email addresses, phone numbers, job roles, salaries, start dates, dates of birth, and other personal information belonging to staff members.
The cybercrooks claimed to have breached Wynn as far back as September 2025 by exploiting an Oracle PeopleSoft vulnerability and using a staffer's credentials.
ShinyHunters is separate from but loosely affiliated with Scattered Spider, which was responsible for a cyber double whammy on Las Vegas hotels and casinos in 2024.
Several Scattered Spider members were arrested in connection with the attacks on Caesars Entertainment and MGM Resorts – [13]some in 2024 , and some [14]over a year after the attacks . ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2026/02/20/shinyhunters_wynn_resorts/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZ8qtTTVGpasd3I8RgiIoAAAAsk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZ8qtTTVGpasd3I8RgiIoAAAAsk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZ8qtTTVGpasd3I8RgiIoAAAAsk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZ8qtTTVGpasd3I8RgiIoAAAAsk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZ8qtTTVGpasd3I8RgiIoAAAAsk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/05/22/lockbit_dethroned_as_leading_ransomware/
[8] https://www.theregister.com/2026/02/20/shinyhunters_wynn_resorts/
[9] https://www.theregister.com/2026/02/18/shinyhunters_cargurus_breach/
[10] https://www.theregister.com/2026/02/16/canada_goose_shinyhunters/
[11] https://www.theregister.com/2026/01/29/shinyhunters_match_group/
[12] https://www.theregister.com/2024/02/20/nca_lockbit_takedown/
[13] https://www.theregister.com/2025/04/08/scattered_spider_updates/
[14] https://www.theregister.com/2025/09/22/teen_cuffed_scattered_spider_casino/
[15] https://whitepapers.theregister.com/
For anyone familiar with how extortion typically plays out, that's a bold leap of faith. However, Wynn appears satisfied enough to include the assurance in its first official statement since prolific cybercrime crew [1]ShinyHunters claimed credit for the attack last week .
"We have learned that an unauthorized third party acquired certain employee data," a Wynn Resorts spokesperson told The Register . "Upon discovery, we immediately activated our incident response protocols and launched a thorough investigation with the help of external cybersecurity experts.
[2]
"The unauthorized third party has stated that the stolen data has been deleted. We are monitoring and to date have not seen any evidence that the data has been published or otherwise misused."
[3]
[4]
As noted by Dray Agha, senior manager of security operations at Huntress, when miscreants "confirm" they have deleted stolen data, it suggests a ransom may have been paid, although Wynn declined to comment.
"Trusting cybercriminals is inherently flawed; there is no honour among thieves," Agha told The Register . "There is absolutely no reliable way to verify that an extortionist has permanently deleted stolen data. Copies are frequently retained, shared, or sold months down the line."
[5]
He added: "An attacker providing an assurance of deletion is a classic hallmark of a completed extortion negotiation. In the business model of modern cybercrime, 'deletion' is exactly the service these cartels claim to provide once their financial demands have been met."
Wynn Resorts, which runs a line of luxury hotels across the world, told us the attack had no impact on its operations or guest stays.
It's also offering free credit monitoring and identity protection to all employees, and in typical post-breach verbiage assured that data security "is our top priority."
[6]
Agha said that Wynn's decision to offer credit monitoring to employees shows how little anyone can trust the word of a cybercriminal.
"Wynn's decision to offer credit monitoring to employees is a necessary and prudent move, as it acknowledges that a threat actor's 'promise' holds zero actual security value," he said. "We cannot definitively confirm a ransom was paid without explicit confirmation from Wynn."
Regular readers may recall the [7]LockBit leaks of 2024, and how the UK's National Crime Agency (NCA) attempted to undermine the reputation of the ransomware operation at the time.
[8]ShinyHunters demands $1.5M not to leak Vegas casino and resort chain data
[9]ShinyHunters claims it drove off with 1.7M CarGurus records
[10]Canada Goose ruffles feathers over 600K record dump, says leak is old news
[11]ShinyHunters swipes right on 10M records in alleged dating app data grab
In [12]turning the gang's leak site against it , exposing its inner secrets, the NCA confirmed a long-held suspicion among security practitioners that cybercriminals don't delete data even after a ransom is paid.
"While no company can ever eliminate the risk of a cyberattack, we are taking appropriate steps and working with industry-leading third-party IT advisors to strengthen our systems to protect against future incidents," Wynn's statement concluded.
ShinyHunters claimed the attack against Wynn on February 20. As we reported at the time, a sample of the stolen data shared with The Register appeared legitimate and included full names, email addresses, phone numbers, job roles, salaries, start dates, dates of birth, and other personal information belonging to staff members.
The cybercrooks claimed to have breached Wynn as far back as September 2025 by exploiting an Oracle PeopleSoft vulnerability and using a staffer's credentials.
ShinyHunters is separate from but loosely affiliated with Scattered Spider, which was responsible for a cyber double whammy on Las Vegas hotels and casinos in 2024.
Several Scattered Spider members were arrested in connection with the attacks on Caesars Entertainment and MGM Resorts – [13]some in 2024 , and some [14]over a year after the attacks . ®
Get our [15]Tech Resources
[1] https://www.theregister.com/2026/02/20/shinyhunters_wynn_resorts/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aZ8qtTTVGpasd3I8RgiIoAAAAsk&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZ8qtTTVGpasd3I8RgiIoAAAAsk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZ8qtTTVGpasd3I8RgiIoAAAAsk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aZ8qtTTVGpasd3I8RgiIoAAAAsk&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aZ8qtTTVGpasd3I8RgiIoAAAAsk&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/05/22/lockbit_dethroned_as_leading_ransomware/
[8] https://www.theregister.com/2026/02/20/shinyhunters_wynn_resorts/
[9] https://www.theregister.com/2026/02/18/shinyhunters_cargurus_breach/
[10] https://www.theregister.com/2026/02/16/canada_goose_shinyhunters/
[11] https://www.theregister.com/2026/01/29/shinyhunters_match_group/
[12] https://www.theregister.com/2024/02/20/nca_lockbit_takedown/
[13] https://www.theregister.com/2025/04/08/scattered_spider_updates/
[14] https://www.theregister.com/2025/09/22/teen_cuffed_scattered_spider_casino/
[15] https://whitepapers.theregister.com/
Re: We paid up
Guy de Loimbard
I suspect someone will want some lube a little further down the line!
Not such a bold leap of faith
Anonymous Coward
> For anyone familiar with how extortion typically plays out, that's a bold leap of faith.
If Wynn paid, it's very much in the interest of the threat actors to keep their word. That gives the group the credibility needed to do it again to someone else. If they don't keep their word, then why should the next victim pay to make their cybersecurity failure go away quietly?
Re: Not such a bold leap of faith
Anonymous Coward
You would think... but the extortionists could simply wait 6 months, then sell the data to other criminals. I could even see a "data-laundering" service, where the service buys stolen data from a number of extortionists, combines it all together, then sells blocks of it to different groups. If a block is discovered and analyzed by the good guys, there's no good way of telling where the data came from - it contains data from a number of breaches. Thus the extortionist gets to profit twice, while still publicly claiming they deleted the data, so they're "trustworthy" and people pay them ransoms.
Re: Not such a bold leap of faith
NoneSuch
Interesting. Assuming a criminal organization has normal morality.
We paid up
Now we hope we don't get fisted in the process