Cyber Incident Victim: Crystal Bay Casino
Date:
Nov 2022
Location:
United States of America
Summary
Crystal Bay Casino experienced a cybersecurity incident involving unauthorized access to its computer network, leading to the exfiltration of sensitive consumer data. The organization detected unusual network activity, secured its systems, and initiated an investigation, confirming that attackers obtained files containing personal information such as names, Social Security numbers, and driver’s license numbers. Following a review of compromised records, notifications were dispatched to over 86,000 affected individuals whose confidential details were exposed in the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 1, 2022, Crystal Bay Casino detected unusual activity within its computer network, prompting immediate security measures to contain the incident. The Nevada-based hotel and casino secured its systems and initiated a forensic investigation to determine the nature, scope, and potential impact of the unauthorized access. The investigation confirmed that an external threat actor had infiltrated the company's IT infrastructure and exfiltrated specific files containing sensitive consumer data. While the exact duration of unauthorized access remains unspecified in public filings, the compromise involved the removal of documents storing personally identifiable information. Crystal Bay Casino's review of the affected files, completed on January 25, 2023, verified that the breached records included names, Social Security numbers, and driver's license numbers. The company did not disclose technical details regarding the attack vector, malware involvement, or whether ransomware was deployed during the intrusion. No evidence suggests customer financial data or payment card information was accessed or stolen in the breach.
The data exposure impacted 86,291 individuals whose personal information resided on the compromised systems. Crystal Bay Casino formally notified the Attorneys General of Maine, Montana, and Massachusetts about the breach on February 24, 2023, in compliance with state reporting regulations. Notification letters were dispatched to all affected consumers on the same date, advising them of the specific data elements exposed in their respective cases. The company did not publicly disclose whether it offered credit monitoring services or identity theft protection to victims beyond the mandatory breach notifications. As a hospitality and gaming establishment generating approximately $17 million annually with 92 employees, the incident represents a significant operational security event for the 86-year-old Lake Tahoe venue. No subsequent attacks or additional data leaks related to this breach have been reported through official channels following the containment measures implemented in November 2022.