Prominent US casino operator Wynn Resorts Limited is facing a federal class action lawsuit following claims that hacking group ShinyHunters obtained more than 800,000 customer and employee records.
The lawsuit, filed on 21 February in the US District Court for Nevada under the case Reed v. Wynn Resorts Limited, centres on allegations that the company failed to properly safeguard sensitive personal information. The complaint follows a blog post published by ShinyHunters on 20 February, in which the group claimed it had stolen over 800,000 Wynn customer records.
In the court filing, plaintiff Richard Reed alleges that Wynn Resorts’ handling of customers’ sensitive data led to a breach in September. The information reportedly accessed includes Social Security numbers and other personal identifiers, which may expose affected individuals to identity fraud.
The case is listed on PacerMonitor as a federal contract-related civil action filed in Nevada. Legal proceedings are at an early stage and Wynn has not conceded wrongdoing.
The lawsuit sets out detailed claims regarding how customer information was handled. The complaint stated, “On 20 February 2026, the notorious hacking group ShinyHunters announced it had stolen over 800,000 records from Defendant containing the personal information of Plaintiff and Class Members.”
“By obtaining, collecting, using, and deriving a benefit from the Private Information of Plaintiff and Class Members, Defendant assumed legal and equitable duties to those individuals to protect and safeguard that information from unauthorised access and intrusion.”
The filing argues that Wynn failed to adequately protect what it describes as “highly sensitive” personal information. It alleges that the data was left unencrypted and unredacted.
“Defendant failed to adequately protect Plaintiff’s and Class Members’ Private Information—and failed to even encrypt or redact this highly sensitive information. This unencrypted, unredacted Private Information was compromised due to Defendant’s negligent and/or careless acts and omissions and its utter failure to protect Plaintiff’s and Class Members’ sensitive data. Hackers targeted and obtained Plaintiff’s and Class Members’ Private Information because of its value in exploiting and stealing the identities of Plaintiff and Class Members. The present and continuing risk of identity theft and fraud to victims of the Data Breach will remain for their respective lifetimes.”
According to the lawsuit, the compromised information may include names, email addresses, contact information and potential account-related details. Separate reporting indicates that samples of the stolen data seen by The Register contained employees’ full names, emails, phone numbers, positions, salaries, start dates, birthdays and other personal information.
Beyond the alleged breach itself, the complaint challenges how Wynn informed those affected. The seven-count filing states that Wynn’s Notice Letter did not provide what it describes as a complete account of the incident or sufficient information about preventative measures.
“Omitted from the Notice Letter were the identity of the cybercriminals who perpetrated this Data Breach, the details of the root cause of the Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again. To date, these critical facts have not been explained or clarified to Plaintiff and Class Members, who retain a vested interest in ensuring that their Private Information remains protected.”
The plaintiff argues that Wynn’s “disclosure” amounts to no “real” disclosure of critical facts with any specificity and that without those details the ability of affected individuals to mitigate harm is “severely diminished.”
Wynn reportedly provided 24 months of identity monitoring services to affected customers. However, the complaint describes this as insufficient.
The offer, Reed states, “Fails to provide for the fact victims of data breaches and other unauthorised disclosures commonly face multiple years of ongoing identity theft, financial fraud, and it entirely fails to provide sufficient compensation for the unauthorised release and disclosure of Plaintiff and Class Members’ Private Information. Moreover, once this service expires, Plaintiff and Class Members will be forced to pay out of pocket for necessary identity monitoring services.”
The lawsuit asks the court to grant class certification and appoint Reed and counsel as class representatives. It also seeks equitable relief enjoining Wynn from engaging in the alleged wrongful conduct and from refusing to issue what it calls “prompt, complete” disclosures.
Further requests include injunctive relief necessary to protect the interests of Plaintiff and Class Members, an award of damages including actual, nominal and consequential damages, attorneys’ fees and costs, prejudgment interest on all amounts awarded, and “other and further relief as the Court deems just and proper.”
The case will now move through federal court, where Wynn is expected to respond to the allegations.
ShinyHunters issued what it described as a “final warning” on the dark web, giving Wynn until 23 February to respond before the data was allegedly to be made public. As reported by The Register, the group threatened to leak the data “along with several annoying (digital) problems that’ll come your way,” if the resort chain did not comply with its demands.
The hacking group has not released sample data to publicly substantiate its claims and its leak site is currently offline, making independent verification difficult. The escalation suggests negotiations may have broken down, which is a common feature in extortion-driven cyber incidents.
ShinyHunters has previously been linked to cases involving recycled or outdated data. In recent days, it has threatened to release millions of records allegedly tied to US financial advisory firms Mercer Advisors and Beacon Pointe Advisors. It also published data linked to luxury clothing brand Canada Goose, although researchers later determined the information was several years old.
Reports in 2026 indicated that the group conducted voice phishing campaigns to obtain single sign-on login details for Okta, Microsoft and Google accounts. The group has said it was behind breaches affecting Bumble, Match Group, Panera Bread and Crunchbase. It was also previously linked to a major Salesforce CRM data theft incident involving enterprise cloud services and customer databases.
In June 2025, French authorities announced the arrest of four alleged ShinyHunters members across multiple regions of France. Despite those arrests, the group appears to remain active.
Wynn Resorts operates high-end casino resorts in Las Vegas and Macau and generates approximately $1.87billion in revenue. It owns five resorts, 81 restaurants and 200 high-end retail outlets, making it a significant player in the global integrated resort market.
At this stage, Wynn has not publicly confirmed the alleged breach and has not admitted wrongdoing in the lawsuit. The company did not immediately respond to The Register’s inquiries at the time of publication.
If verified, exposure of customer and employee records could trigger regulatory scrutiny and reputational impact. Data breach litigation can carry multi-million dollar implications depending on settlement outcomes and remediation costs. Companies may also face state-level data privacy investigations, federal scrutiny and credit monitoring obligations for affected individuals.
Wynn has also faced regulatory penalties in the past. In May 2025, Nevada regulators fined the company $5.5 million over anti-money laundering compliance issues at its Las Vegas property.
The legal action against Wynn occurs against a backdrop of escalating cyber threats affecting the casino and hospitality sector. Integrated resort operators maintain large loyalty databases, hotel reservation systems, online gaming accounts and payment processing records. The combination of financial transactions and extensive personal data makes them attractive targets.
In September 2023, MGM Resorts International experienced a major cyberattack that disrupted operations across its Las Vegas properties. The incident led to system outages affecting hotel check-ins and gaming floors and resulted in class action litigation. In January 2025, MGM agreed to a $45million settlement to resolve claims related to its 2019 and 2023 breaches.
In the same month in 2023, Caesars Entertainment confirmed that hackers had accessed its loyalty programme database. The company later disclosed that it had paid approximately $15million to the attackers. Caesars also faced class action lawsuits following the breach.
Outside the United States, Marina Bay Sands in Singapore reported in 2023 that around 665,000 members of its rewards programme had been affected by a data incident involving names, email addresses and phone numbers.
These cases underline a recurring issue for large-scale resort operators. Cybersecurity is no longer solely a technical concern. It is a financial, legal and governance issue with direct consequences for publicly traded companies.
The Reed v. Wynn Resorts Limited case will now proceed through federal court. Wynn is expected to challenge the allegations. Whether the matter results in dismissal, settlement or extended litigation remains to be seen.
For the gambling industry, the case reinforces a familiar lesson. As digital integration deepens across casino, hospitality and online gaming platforms, the volume and sensitivity of stored data continue to grow. When breaches are alleged, the consequences extend beyond system downtime to include litigation, regulatory attention and potential long-term brand impact.
The outcome of the Wynn proceedings may add further clarity to how US courts assess data protection responsibilities within the integrated resort sector. For now, the case places another major operator under legal scrutiny in an environment where cybersecurity has become a central operational priority.
#WynnResorts #CyberSecurity #DataBreach #CasinoIndustry #Gaming #Compliance #RiskManagement #ClassAction #Hospitality #USGaming
Welcome to Gambling Consulting Authority (GCA) - Your Strategic Partner in Gambling Industry Advancement
