Caesars class action alleges casino failed to properly protect customer information before data breach

Caesars class action lawsuit overview:

• Who: Plaintiff David Lackey filed a class action lawsuit against Caesars Entertainment Inc.
• Why: Caesars allegedly failed to adequately protect Caesars Rewards members’ personally identifiable information, leaving it vulnerable to hackers.
• Where: The Caesars class action lawsuit was filed in Nevada federal court.

Caesars Entertainment Inc. failed to adequately safeguard its customers’ personally identifiable information (PII), leaving the data vulnerable to hackers in a recent Caesars data breach, a class action alleges.

Plaintiff David Lackey filed the Caesars class action lawsuit Sept. 29, alleging the hotel/casino was targeted by cybercriminals earlier in the month. The cybercriminals were allegedly able to access a copy of the casino’s loyalty program database, which included driver’s license numbers and Social Security numbers.

The Caesars data breach was allegedly instigated by a cybercriminal organization called Scattered Spider, which obtains access to data systems by impersonating people in the company through “convincing” phone calls.

The cybercriminals allegedly demanded Caesars pay a $30 million ransom. The casino company paid about half of this amount to the hackers, the Caesars class action lawsuit says.

Caesars data breach likely affected millions, plaintiff alleges

Lackey notes that, with more than 65 million members, Caesars has one of the biggest loyalty programs in the gaming industry. The rewards program allows its members to earn credits to use on a variety of Caesars’ services, such as gambling, hotel reservations, shopping and dining.

To enroll in the Caesars Rewards program, consumers must consent to the “collection and use of Member personal information” according to the hotel/casino’s privacy policy, Lackey explains. Caesars reportedly collects personal information including full names, birthdates, addresses, phone numbers, email addresses, credit card numbers, biometric information, health information, gaming activity data and other information.

“PII stolen in the [Caesars data breach] can be misused on its own or can be combined with personal information from other sources (such as publicly available information, social media, etc.) to create a package of information capable of being used to commit further identity theft,” the Caesars class action lawsuit alleges.

The threat of fraud and identity theft will affect Caesars data breach victims for years, Lackey alleges. He claims that they will incur out-of-pocket costs due to the Caesars data breach and spend significant amounts of time monitoring their accounts for fraud and dealing with fraudulent activity. Their PII has also allegedly declined in value, according to the Caesars class action lawsuit.

Lackey says it is likely that millions of Caesars Rewards members are affected. He filed the Caesars class action lawsuit on behalf of himself and a proposed class of others whose PII was acquired by cybercriminals due to the Caesars data breach.

The complaint asserts claims for negligence, negligent misrepresentation, breach of implied contract and unjust enrichment, among other claims.

Were you affected by the Caesars data breach? Tell us about your experience in the comments.

The plaintiff is represented by Dom Springmeyer of Kemp Jones LLP; James J. Pizzirusso, Amanda V. Boltax and Steve N. Nathan of Hausfeld LLP; and Douglas J. McNamara and Brian E. Johnson of Cohen Milstein Sellers & Toll PLLC.

The Caesars data breach class action lawsuit is David Lackey v. Caesars Entertainment Inc., Case No. 2:23-cv-01562, in the U.S. District Court for the District of Nevada.

Read About More Class Action Lawsuits & Class Action Settlements:

• MGM class action claims data breach exposed sensitive customer information
• Ransomware group claims to have hacked all of Sony systems
• Judge consolidates 7 class actions over Progressive data breach
• IBM, Johnson & Johnson class action claims companies failed to safeguard protected health information