Nevada Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Nevada's economy is dominated by industries that collect and process enormous volumes of sensitive personal data around the clock. The gaming and hospitality sector alone handles millions of credit card transactions, loyalty program records, guest identification documents, and reservation details every day. This concentration of high-value data in always-on environments — combined with the state's relatively small IT workforce outside of Las Vegas and Reno — makes Nevada a persistent target for sophisticated threat actors, from social engineering crews to ransomware syndicates.

The incidents detailed below are not historical curiosities. They reveal specific attack patterns that continue to threaten Nevada organizations today. Whether your business operates on the Las Vegas Strip or in a state government office in Carson City, these cases illustrate the cybersecurity threats that should shape your security posture, and the Nevada compliance requirements that govern your response when a breach occurs.

Major Cyber Incidents in Nevada: A Timeline

2014 — Las Vegas Sands Corporation Breach

In February 2014, Las Vegas Sands Corporation — parent company of The Venetian and Palazzo resorts — suffered a destructive cyberattack attributed to Iranian hackers. The attack, believed to be retaliation for comments made by company chairman Sheldon Adelson regarding Iran, wiped data from thousands of servers and workstations, destroyed email systems, and defaced the company's websites. Security researchers and U.S. intelligence officials linked the attack to Iranian state-sponsored actors. Las Vegas Sands reported spending over $40 million on recovery and remediation. The incident was one of the first major destructive cyberattacks against a U.S. corporation and demonstrated that casinos were targets not just for financially motivated criminals but for nation-state actors pursuing geopolitical objectives.

2019 — Hanna Andersson Data Breach

Hanna Andersson, the children's clothing retailer headquartered in Portland but operating distribution and e-commerce infrastructure in Henderson, Nevada, disclosed a data breach affecting customers who made online purchases between September and November 2019. Attackers compromised the company's third-party e-commerce platform by injecting malicious code — a technique known as Magecart or web skimming — that captured customer names, shipping addresses, billing addresses, payment card numbers, CVV codes, and expiration dates at the point of transaction. The stolen data was later found for sale on dark web marketplaces. Hanna Andersson reached a $400,000 settlement with the attorneys general of multiple states, including California and Nevada, over its failure to implement adequate security measures.

2020 — Clark County School District Ransomware Attack

In August 2020, the Clark County School District (CCSD) — the fifth-largest school district in the United States, serving over 300,000 students in Las Vegas and surrounding areas — was hit by the Maze ransomware group. The attack occurred just as CCSD was transitioning to remote learning during the COVID-19 pandemic. When the district refused to pay the ransom, the Maze group published stolen data on its leak site, including Social Security numbers, student records, and employee personal information. The breach exposed the personal data of current and former students, parents, and employees. CCSD's experience demonstrated that ransomware operators will target organizations during moments of maximum operational stress and that the refusal to pay often results in data publication.

2022 — City of Las Vegas Network Intrusion

In January 2020, the City of Las Vegas detected a cybersecurity intrusion in its computer network. City officials acknowledged the incident publicly and stated that they had detected the intrusion early enough to avoid significant disruption to city services. While specific details about the nature of the attack and the data potentially accessed were limited, the incident prompted the city to accelerate its cybersecurity modernization efforts. The city's relatively quick detection was attributed to investments it had made in network monitoring following earlier cybersecurity assessments.

2023 — MGM Resorts International Cyberattack

In September 2023, MGM Resorts International suffered one of the most high-profile cyberattacks in U.S. hospitality history. The attack was carried out by a group known as Scattered Spider (UNC3944), a loosely organized collective of young, primarily English-speaking hackers who used social engineering to bypass MGM's identity and access management systems. The attackers called MGM's IT help desk, impersonated an employee they had identified on LinkedIn, and convinced a support technician to reset multi-factor authentication credentials. Once inside, the attackers deployed BlackCat/ALPHV ransomware across MGM's systems.

The impact was immediate and severe. Slot machines across MGM properties went dark. Hotel room key cards stopped working. The company's website and mobile app went offline. Guests at the Bellagio, MGM Grand, Mandalay Bay, and other properties could not check in electronically and experienced disruptions for more than ten days. MGM disclosed that the attack cost the company approximately $100 million in lost revenue and remediation expenses during the third quarter of 2023 alone. The company also reported that the attackers accessed personal data of customers, including names, contact information, dates of birth, driver's license numbers, and for some customers, Social Security numbers and passport numbers.

2023 — Caesars Entertainment Data Breach

Just days before the MGM attack became public, Caesars Entertainment disclosed that it had also been targeted by what investigators believe was the same Scattered Spider group using similar social engineering tactics against an outsourced IT support vendor. Caesars confirmed in an SEC filing that the attackers obtained a copy of the company's loyalty program database, which included driver's license numbers and Social Security numbers for a significant number of members. Reports indicated that Caesars paid approximately $15 million of a $30 million ransom demand to prevent publication of the stolen data. Caesars' decision to pay — contrasted with MGM's refusal — sparked industry-wide debate about the effectiveness and ethics of ransom payments.

Nevada Data Breach Notification Requirements

Nevada's data breach notification law is codified in NRS 603A.220. It requires any data collector that maintains personal information of Nevada residents to notify affected individuals when it becomes aware of a breach of the security of system data. Unlike states such as Texas or Florida that have set specific timeframes, Nevada requires notification in the most expedient time possible and without unreasonable delay. If the breach affects more than 1,000 Nevada residents, the data collector must also notify consumer credit reporting agencies.

Personal information under NRS 603A includes a person's first name or initial and last name combined with Social Security number, driver's license or state identification number, financial account numbers with access codes, medical identification numbers, health insurance identification numbers, or email addresses with associated passwords. For a detailed analysis of Nevada's broader regulatory framework, see our guide to Nevada cybersecurity compliance requirements.

Which Nevada Industries Are Most Targeted?

Gaming and Casino Operations

Nevada's gaming industry generated $15.2 billion in gross gaming revenue in fiscal year 2023. Casinos operate 24 hours a day, 365 days a year, processing vast quantities of financial transactions, guest identification data, and surveillance footage. The MGM and Caesars attacks demonstrated that even the largest gaming operators are vulnerable to social engineering attacks that bypass technical security controls. Gaming companies face unique regulatory requirements under the Nevada Gaming Control Board, which has increasingly incorporated cybersecurity into its oversight mandate.

Hospitality and Tourism

Las Vegas welcomed approximately 40.8 million visitors in 2023. Hotels, restaurants, entertainment venues, and convention operators collect guest data including payment information, identification documents, and loyalty program profiles. Point-of-sale systems across thousands of hospitality establishments create a massive attack surface. The interconnected nature of resort operations — where a single breach can affect hotel, restaurant, spa, and entertainment systems simultaneously — amplifies the impact of any compromise. Businesses in this sector should consider managed IT services to maintain continuous security monitoring.

State and Local Government

Nevada state agencies and local governments manage sensitive resident data including tax records, benefit applications, law enforcement databases, and vital statistics. The Clark County School District ransomware attack showed that public institutions with large data holdings and limited IT budgets are attractive targets. State government operations in Carson City and county governments across Nevada's 17 counties face the same resource constraints that make public sector organizations nationwide disproportionately vulnerable.

Lessons from Nevada's Breach History

Several patterns emerge from Nevada's cybersecurity incident timeline that businesses across the state should internalize:

• Social engineering bypasses technical controls — the MGM and Caesars attacks succeeded not through sophisticated malware or zero-day exploits but through phone calls that manipulated help desk staff. Technical security investments are insufficient without robust identity verification procedures for account recovery and MFA resets

• Third-party vendors are a primary attack vector — Caesars was breached through an outsourced IT provider, and Hanna Andersson through a compromised e-commerce platform. Vendor security assessments and contractual security requirements are essential

• Data exfiltration often precedes ransomware deployment — modern ransomware groups steal data before encrypting systems, creating dual extortion pressure. Organizations need data loss prevention and network monitoring, not just backup and recovery

• Response speed matters — the City of Las Vegas's early detection limited damage, while MGM's extended outage cost over $100 million. Investment in detection and monitoring capabilities pays measurable dividends

How to Protect Your Nevada Business

The attacks described above point to specific, actionable security investments:

• Implement strict identity verification for help desk operations — require callback verification, manager approval, or in-person confirmation before resetting MFA tokens or credentials, directly addressing the social engineering vector that compromised MGM and Caesars

• Deploy endpoint detection and response (EDR) across all systems to detect lateral movement and ransomware deployment before encryption begins

• Segment networks so that a compromise in one system — a hotel reservation platform, for example — cannot spread to gaming systems, payment processing, or guest data stores

• Monitor for data exfiltration using data loss prevention tools and network traffic analysis to detect large outbound data transfers before attackers complete their theft

• Maintain tested offline backups and practice restoration procedures regularly to ensure operational resilience against ransomware

Many Nevada businesses work with managed IT services providers and managed security services firms to maintain 24/7 monitoring and response capabilities that match the always-on nature of Nevada's core industries.

Frequently Asked Questions

How quickly must a Nevada business report a data breach?

Under NRS 603A.220, Nevada businesses must notify affected individuals in the most expedient time possible and without unreasonable delay after discovering a breach. Unlike some states that specify a deadline in days, Nevada's standard is a reasonableness test. If more than 1,000 Nevada residents are affected, the business must also notify the major consumer credit reporting agencies. Courts and regulators interpret unreasonable delay based on the facts of each case, so businesses should begin notification as soon as the scope of the breach is reasonably understood.

What was the total cost of the MGM Resorts cyberattack?

MGM Resorts reported that the September 2023 cyberattack cost approximately $100 million in lost revenue and remediation costs during the third quarter of 2023. This figure includes lost room bookings, reduced gaming revenue during the outage, incident response and forensic investigation costs, and technology remediation expenses. The full long-term cost — including legal settlements, regulatory responses, and reputational impact — is likely higher. MGM chose not to pay the ransom demand.

Did Caesars Entertainment pay the ransom?

Yes. Caesars Entertainment confirmed in its September 2023 SEC filing that it paid a ransom, reportedly approximately $15 million of an initial $30 million demand, to prevent the publication of loyalty program data stolen in the breach. Caesars' decision to pay contrasted with MGM's refusal and reignited debate across the cybersecurity community about whether ransom payments encourage further attacks or represent a legitimate business decision to protect customer data.

Is Nevada's gaming industry regulated for cybersecurity?

The Nevada Gaming Control Board (NGCB) oversees gaming operations and has increasingly incorporated cybersecurity expectations into its regulatory framework. Gaming licensees are subject to internal control standards that include requirements for information technology security. Following the 2023 incidents at MGM and Caesars, the Nevada Gaming Commission signaled interest in strengthening cybersecurity requirements for licensees, though formal regulations continue to evolve. Gaming companies must also comply with PCI-DSS for payment card processing and Nevada's general data security laws under NRS 603A.

What types of data were exposed in the Clark County School District breach?

The Maze ransomware group published data stolen from Clark County School District that included Social Security numbers, student records, employee personal information, and internal district documents. The breach affected current and former students, parents, and district employees. Because CCSD is the fifth-largest school district in the country, the volume of exposed records was substantial. The incident underscored the sensitivity of educational records and the risks that school districts face as custodians of minor children's personal data.