Wynn Resorts has confirmed that employee data was stolen from its servers, and is taking the hackers’ word that they’ve since deleted it.
For anyone familiar with how extortion typically plays out, that’s a bold leap of faith. However, Wynn appears satisfied enough to include the assurance in its first official statement since prolific cybercrime crew ShinyHunters claimed credit for the attack last week.
“We have learned that an unauthorized third party acquired certain employee data,” a Wynn Resorts spokesperson told The Register. “Upon discovery, we immediately activated our incident response protocols and launched a thorough investigation with the help of external cybersecurity experts.
“The unauthorized third party has stated that the stolen data has been deleted. We are monitoring and to date have not seen any evidence that the data has been published or otherwise misused.”
As noted by Dray Agha, senior manager of security operations at Huntress, when miscreants “confirm” they have deleted stolen data, it suggests a ransom may have been paid, although Wynn did not respond to questions about this.
“Trusting cybercriminals is inherently flawed; there is no honour among thieves,” Agha told The Register. “There is absolutely no reliable way to verify that an extortionist has permanently deleted stolen data. Copies are frequently retained, shared, or sold months down the line.”
He added: “An attacker providing an assurance of deletion is a classic hallmark of a completed extortion negotiation. In the business model of modern cybercrime, ‘deletion’ is exactly the service these cartels claim to provide once their financial demands have been met.”
Wynn Resorts, which runs a line of luxury hotels across the world, told us the attack had no impact on its operations or guest stays.
It’s also offering free credit monitoring and identity protection to all employees, and in typical post-breach verbiage assured that data security “is our top priority.”
Agha said that Wynn’s decision to offer credit monitoring to employees shows how little anyone can trust the word of a cybercriminal.
“Wynn’s decision to offer credit monitoring to employees is a necessary and prudent move, as it acknowledges that a threat actor’s ‘promise’ holds zero actual security value,” he said. “We cannot definitively confirm a ransom was paid without explicit confirmation from Wynn.”
Regular readers may recall the LockBit leaks of 2024, and how the UK’s National Crime Agency (NCA) attempted to undermine the reputation of the ransomware operation at the time.
In turning the gang’s leak site against it, exposing its inner secrets, the NCA confirmed a long-held suspicion among security practitioners that cybercriminals don’t delete data even after a ransom is paid.
“While no company can ever eliminate the risk of a cyberattack, we are taking appropriate steps and working with industry-leading third-party IT advisors to strengthen our systems to protect against future incidents,” Wynn’s statement concluded.
ShinyHunters claimed the attack against Wynn on February 20. As we reported at the time, a sample of the stolen data shared with The Register appeared legitimate and included full names, email addresses, phone numbers, job roles, salaries, start dates, dates of birth, and other personal information belonging to staff members.
The cybercrooks claimed to have breached Wynn as far back as September 2025 by exploiting an Oracle PeopleSoft vulnerability and using a staffer’s credentials.
ShinyHunters is separate from but loosely affiliated with Scattered Spider, which was responsible for a cyber double whammy on Las Vegas hotels and casinos in 2024.
Several Scattered Spider members were arrested in connection with the attacks on Caesars Entertainment and MGM Resorts – some in 2024, and some over a year after the attacks. ®