LAS VEGAS (CN) — One day after reporting a massive data breach, Caesars Entertainment, which operates eight hotel casinos on the Las Vegas Strip, now faces a class action that looks to hold the hotel and casino giant liable for exposing its customers' personal information to hackers.
The named plaintiff, Miguel Rodriguez, filed the class action Friday in federal court in Nevada, on behalf of himself and other members of Caesars' loyalty programs, who are now at risk of cybercriminals using the six terabytes of stolen sensitive information to take out loans using customers’ identities, file fraudulent tax returns and obtain false identifications and phony driver licenses.
“Plaintiff seeks to hold defendant responsible for the injuries defendant inflicted on plaintiff and tens of thousands similarly situated persons due to defendant’s impermissibly inadequate data security, which caused the personal information of plaintiff and those similarly situated to be exfiltrated by unauthorized access by cybercriminals at a still undetermined and/or undisclosed time but was otherwise discovered on Sept. 7,” Rodriguez, who is being represented by Las Vegas-based attorney Miles Clark, said in the suit.
Rodriguez claimed that Caesars' — which owns and operates dozens of hotel and casino properties under its Caesars, Eldorado and Harrah's brands— was negligent in its data security efforts and that customers were not informed of the issue in a timely manner. He notes in the suit that although Caesars first disclosed the attack on Sept. 14, the company did not explain in a filing to the federal Securities and Exchange Commission the full breadth of the breach.
"Although the data breach was discovered on September 7, 2023, it is presently unknown and/or undisclosed as to when the actual data breach occurred, and for what period of time defendant’s systems were exposed. Defendant also failed to indicate when it first identified the 'suspicious activity' that resulted in the investigation," Rodriguez wrote.
According to Rodriguez, Caesars failed to maintain their network, software and technology partners, rendering the business “easy prey” for cybercriminals to exploit.
Furthermore, the suit claims the customers affected will suffer ongoing harm from fraud and identity theft, and customers will have to be vigilant and constantly monitor their financial accounts.
“To date, defendant has failed to provide notice to plaintiff and affected class members — thereby exacerbating their injuries. Ultimately, defendant deprived plaintiff and class members of the chance to take speedy measures to protect themselves and mitigate harm," Rodriguez said in the suit. "Simply put, defendant impermissibly left plaintiff and class members in the dark — thereby causing their injuries to fester and the damage to spread.”
Rodriguez is seeking a number of remedies, including compensatory damages, treble damages, punitive damages, reimbursement of out-of-pocket costs, and injunctive relief, including improvements to defendant’s data security systems, future annual audits, and adequate credit monitoring services funded by defendant.
"We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result," Caesars Entertainment said in a statement.
Attorneys for Rodriguez did not immediately respond to a request for comment.
The Thursday disclosure of the data breach by Caesars came after MGM Resorts International disclosed their own data breach Monday. MGM — another major player on the Las Vegas Strip — experienced widespread disruption this week after being hit by cybercriminals Sunday.
Read the Top 8
Sign up for the Top 8, a roundup of the day's top stories delivered directly to your inbox Monday through Friday.