
A class-action lawsuit filed in Nevada District Court alleges Rancho Mesquite Casino Inc. (RMC) failed to protect its casino customers during a data breach. According to the complaint, the casino operator’s data security measures left its computer systems open to cyberattack. As a result, nearly 230,000 customers had sensitive personal information stolen, including full names and Social Security Numbers.
The 44-page filing states:
Simply put, plaintiff and class members now face substantial risk of out-of-pocket fraud losses such as loans opened in their names, medical services billed in their names, tax return fraud, utility bills opened in their names, credit card fraud, and similar identity theft.
Nevada-based Rancho Mesquite Casino Inc. operates the affected properties under the Eureka brand in Las Vegas and Mesquite. The Rising Star Sports Ranch Resort, also in Mesquite, and the Brook in Seabrook, New Hampshire, round out RMC’s casino holdings.
Timeline of Rancho Mesquite Data Breach
The lawsuit and reports RMC submitted to Maine’s Attorney General each state the breach occurred between Nov. 9 and Nov. 13, 2022. RMC discovered the cyberattack and began securing its systems on Nov. 12.
The first letter to affected customers went out three weeks later, on Dec. 9. A second followed on Feb. 16, 2023.
Interestingly, the first report to the AG, submitted on Dec. 13, indicated a personal data breach affecting 1,737 RMC customers. A second report filed on Feb. 17, 2023, increased that count substantially to 229,229.
Another noticeable change: December’s first AG report listed only full names and Social Security Numbers as having been compromised. February’s follow-up added financial account info to the list. That includes access codes, passwords, and PINs. The lawsuit claims driver’s license numbers were also part of the stolen data.
Differences in the letters sent to affected customers suggest the breach was worse for some than others, which invites questions about what it entailed. The letter from Dec. 9 states:
On November 9, 2022, Eureka experienced a cybersecurity incident during which some of our systems were encrypted by an unauthorized actor. Upon discovering the incident, we immediately took steps to secure our systems, began an investigation, and a cybersecurity firm was engaged to assist. Although the investigation is ongoing, we identified certain data that the unauthorized actor accessed during the incident. We began a review of the data and identified that the data included some of your information. Specifically, the data included your name and Social Security number.
The follow-up from Feb. 16 states:
“…Although the investigation is ongoing, we identified certain data that the unauthorized actor accessed during the incident. On January 24, 2023, we determined that this dataset included some of your information. The types of data varied by individual, but generally may have included your <<Breached Elements>>.”
Representing the plaintiffs are Wise Law Firm of Nevada and Arnold Law Firm of California. They jointly filed the lawsuit on Feb. 22.
RMC Allegedly Failed to Encrypt Sensitive Customer Information
According to details in the Nevada filing, RMC inadequately safeguarded class members’ private information.
Specifically, the suit alleges RMC “recklessly” stored the data on an unsecured computer network, making it vulnerable to a cyberattack. Also at issue is the time RMC took between discovering the breach and notifying the affected customers.
As a result, the named plaintiff, William Houghton of California, seeks restitution for the harm inflicted on himself and others. The suit states Houghton “would not have entrusted his Private Information to Eureka had he known that Eureka would fail to maintain adequate data security.”
As a remedy, the lawsuit asks the court to order:
Compensatory damages, reimbursement of out-of-pocket costs, and injunctive relief including improvements to Defendant’s data security systems, future annual audits, and adequate credit monitoring and identity restoration services funded by Defendant.
Five Counts Include Alleged Negligence, Breach of Contract
The lawsuit includes five separate allegations against RMC:
- Negligence
- Breach of implied contract
- Negligence per se (i.e., neglect of specific legally-mandated duties)
- Unjust enrichment
- Violation of California’s “Unfair Competition Law”
Houghton’s legal action for the first four counts is on behalf of the class action’s entire national class. The final count, however, only applies to the plaintiff and a California class. It alleges that RMC “engaged in unlawful and unfair business practices” under Section 17200 of the California Business and Professions Code, also known as the Unfair Competition Law.
Additionally, the plaintiff reserved the right to adjust or add to the proposed classes if “information and discovery indicate that the definitions of the Classes should be narrowed, expanded, or otherwise modified.”
What’s Next for the Rancho Mesquite Casino Class Action?
Before the lawsuit can go ahead, the Nevada courts must certify the action and its classes. If certified, all the plaintiffs identified as harmed by RMC will be included in the lawsuit unless they opt out.
From there, the lawsuit will proceed to a trial. Houghton has requested this be a trial by jury.
It’s typical for class actions like this to take many years to resolve, although a settlement could come sooner. Houghton seeks an outcome preventing RMC from further misusing customers’ private data. Additionally, the suit seeks injunctive relief to protect the plaintiff and class members.
Such protection would include requirements for data encryption, destruction of old files, keeping data off the cloud, and regular audits of data security measures. The suit also seeks monetary damages, including all those allowed by law, attorney’s fees and expenses, prejudgement interest on any awards, and any “further relief as this court may deem just and proper.”
Lastly, the lawsuit requests the court holds the defendant responsible for all expenses related to the prevention and detection of, and recovery from, identity theft, tax fraud, and unauthorized use of the plaintiff and class members’ personal information over their respective lifetimes.
The complaint claims RMC’s monitoring service is “wholly inadequate,” explaining:
The services are only offered for 12 months and it places the burden squarely on Plaintiff and Class Members by requiring them to expend time signing up for that service, as opposed to automatically enrolling all victims of this cybercrime.