Milberg Files Rivers Casino Data Breach Class Action Lawsuit
by Brian Eckert
A casino in Des Plaines, Illinois failed to adequately protect patrons’ sensitive personal information that was compromised in a “massive” cyberattack in August, claims a Milberg class action lawsuit.
Anyone whose information was stolen in the attack may be eligible to join this lawsuit and recover compensation related to identity theft risk, the diminished value of their private data, and other losses. Data privacy attorney and Milberg Senior Partner Gary M. Klinger is representing the class.
Data Breach Notices Sent November 2023
On or about November 20, 2023, Rivers Casino began sending data breach notices to individuals affected by a data breach that occurred approximately three months earlier, according to Milberg’s complaint.
The notice states that “certain personal information of Rivers Casino Des Plaines Team Members, customers, and online sportsbook customers may have been accessed or removed” during the August cyberattack. Affected information includes:
- Contact information (phone numbers, email addresses, and postal addresses)
- Dates of birth
- Driver’s license or government ID numbers
- Financial account numbers
- Tax identification numbers
- Social Security numbers
- Passport numbers
Not contained in the notice were the crucial details of how the data breach occurred and what steps Rivers Casino is taking to prevent future breaches. Lacking these details, the ability of victims to mitigate harms resulting from the data breach is “severely diminished,” the complaint states.
PII Not Encrypted
Data encryption is recognized as a best practice for cybersecurity. Kaspersky, a leading cybersecurity firm, notes that encryption is “the simplest and most important way” to make sure a computer system’s information can’t be stolen and read by data thieves.
Milberg’s lawsuit alleges that Rivers Casino did not encrypt the stolen personal data, making it highly vulnerable to cybercriminals, and that the use of encryption and other reasonable data security measures could have prevented the data breach.
The unencrypted PII of Class Members may end up for sale to identity thieves on the dark web, if it has not already, or it could simply fall into the hands of companies that will use the detailed PII for targeted marketing without the approval of Plaintiff and Class Members.
The FBI warned companies last month in a private industry notification that ransomware targeting casinos is on the rise following high-profile attacks at MGM Resorts, Caesars Entertainment, and Marina Bay Sands. A Gartner analyst says that casinos are opportunistic targets due to their high revenue and multiple access points. Phishing attacks, vulnerabilities in third party vendor remote access tools, and stolen employee credentials are some of the ways that criminals have hacked casinos.
In the third quarter of FY 2023 alone, more than 7,000 organizations suffered data breaches, resulting in the personal information of nearly 67 million individuals being compromised. Recent high profile data breaches at large companies like Microsoft and Facebook should have served as a warning to Rivers Casino to secure the PII they collect and maintain, according to the complaint.
Lead Plaintiff and Proposed Class
Chicago resident and lead plaintiff Michael Glebiv asserts that he would not have entrusted his personal information to Rivers Casino had he known the business was maintaining data “in a reckless manner” that made it more susceptible to cyberattacks such as the one against the casino in August.
The alleged data security shortcomings at Rivers Casino caused Glebiv and proposed class members to face “an ongoing and lifetime risk of identity theft, which is heightened by the exposure of their Social Security numbers to criminals,” the plaintiff says.
Instead of providing a reasonable level of security that would have prevented the data breach, defendant instead calculated to avoid the data security obligations at the expense of plaintiff and class members by utilizing cheaper, ineffective security measures.
In addition to identity theft risk, Glebiv and class members will incur costs and time to avoid the risk, including learning more about the data breach and monitoring their financial accounts and credit reports for years to come. They also face the diminution in value of their PII, the future cost of credit and identity theft monitoring, and the loss of the benefit of the contractual bargain with the casino, the complaint adds.
Glebiv seeks compensatory damages and a range of injunctive relief, such as requiring the casino to encrypt data and fund identity theft restoration services, on behalf of himself and a nationwide class comprised of the following individuals:
- All persons in the United States whose PII was maintained on Rivers Casino computer systems and compromised in the Data Breach, including those who were sent Notice of Data Breach Incident emails from Defendant.
The lawsuit, filed in Illinois federal court, cites claims for negligence, negligence per se, breach of implied contract, unjust enrichment, and violation of the Illinois Consumer Fraud Act.
Glebiv and the class are represented by Milberg’s Gary M. Klinger, one of the most well-known and respected data privacy attorneys in the U.S., who has settled more than 30 class actions involving privacy violations as lead or co-lead counsel.
Milberg pioneered federal class action lawsuits and remains a national leader in class action and data breach litigation.