Rancho Mesquite Casino, Inc., which does business as Eureka Casino Hotel, says the complaint for this class action, suffered a large data breach that ran from November 9-13, 2022, exposing the personally identifiable information (PII) of casino customers and possibly employees. The complaint faults Eureka for maintaining the data “in a reckless manner” and failing to take adequate measures to prevent the data breach.
Two classes have been proposed for this action:
- The National Class is all persons whose PII was compromised in the cyberattack that Eureka discovered on or around November 12, 2022, that took place between November 9-13, 2022, and who were sent notice of the data breach.
- The California Class is all residents of California whose PII was compromised in the cyberattack that Eureka discovered on or around November 12, 2022, that took place between November 9-13, 2022, and who were sent notice of the data breach.
The complaint alleges that the information stolen in the data breach includes Social Security numbers and driver’s license numbers, and possibly other sensitive information, such as financial account numbers and debit or credit card information.
According to the complaint, the information of more than 229,000 persons was involved. It also claims that Eureka only informed the individual victims around a month later, on December 9, 2022, and also on or around February 16, 2023.
The complaint suggests that “the mechanism” used in the attack and the “potential for improper disclosure” of the information “was a known and foreseeable risk to [Eureka], and [Eureka] was on notice that failing to take steps necessary to secure the Private Information from those risks left that property in a dangerous condition.” The complaint also claims that Eureka and its employees did not properly monitor its computer systems, because the cyberattack would have been discovered sooner.
According to the complaint, Eureka only became aware of the intrusion into its systems when the cybercriminals encrypted its systems in a ransomware attack. The complaint claims that Eureka did not itself encrypt the information in its systems, so that the intruders were able to steal legible information.
The complaint alleges that the restaurant and hospitality businesses have been targeted more and more often by cybercriminals in recent years. “In fact,” it claims, “a similar data breach occurred recently involving another casino/restaurant in Nevada, where the defendant is facing a similar class action lawsuit in this District Court.”
The Federal Trade Commission (FTC) publishes guidelines for businesses for establishing reasonable cybersecurity practices. The complaint alleges that Eureka did not comply with these guidelines and also did not comply with industry standards for cybersecurity.