Wynn Resorts confirms employee data was stolen in a cyberattack, with the company taking the hackers' word that the data has been deleted. Security experts question this approach and highlight the inherent risks of trusting cybercriminals.
Wynn Resorts has confirmed that employee data was stolen from its servers following threats from the cybercrime group ShinyHunters, raising serious questions about the company's response and the broader issue of trusting cybercriminals' assurances.
The Breach and Initial Response
The luxury hotel chain disclosed that an unauthorized third party acquired certain employee data, activating its incident response protocols immediately upon discovery. Wynn Resorts stated that the attackers have claimed to delete the stolen data, and the company reports no evidence of the information being published or misused to date.
However, security professionals have expressed deep skepticism about accepting such assurances at face value. Dray Agha, senior manager of security operations at Huntress, noted that when cybercriminals "confirm" data deletion, it typically indicates a ransom has been paid, though Wynn did not respond to questions about whether payment occurred.
The Problem with Trusting Cybercriminals
Agha emphasized that trusting cybercriminals is "inherently flawed" and that there is "no honour among thieves." He explained that there is absolutely no reliable way to verify permanent deletion of stolen data, as copies are frequently retained, shared, or sold months later. The assurance of deletion is described as a "classic hallmark of a completed extortion negotiation" within the modern cybercrime business model.
This skepticism is well-founded based on past incidents. The UK's National Crime Agency previously attempted to undermine the LockBit ransomware operation in 2024 by exposing its inner secrets through the gang's own leak site. This operation confirmed long-held suspicions that cybercriminals don't actually delete data even after receiving ransom payments.
Impact and Mitigation Efforts
Wynn Resorts maintains that the attack had no impact on its operations or guest stays. However, the company is offering free credit monitoring and identity protection to all employees, a move that security experts view as necessary given the uncertainty surrounding the attackers' claims.
Agha pointed out that Wynn's decision to provide credit monitoring acknowledges that a threat actor's "promise" holds zero actual security value. This precautionary measure reflects the reality that companies cannot definitively confirm whether a ransom was paid without explicit confirmation from the organization.
The ShinyHunters Connection
ShinyHunters claimed responsibility for the attack on February 20, 2026, stating they had breached Wynn as far back as September 2025. The group reportedly exploited an Oracle PeopleSoft vulnerability and used a staffer's credentials to gain access. A sample of the stolen data shared with media outlets included full names, email addresses, phone numbers, job roles, salaries, start dates, dates of birth, and other personal information belonging to staff members.
ShinyHunters operates separately from but is loosely affiliated with Scattered Spider, the group responsible for cyber attacks on Las Vegas hotels and casinos in 2024. Several Scattered Spider members were arrested in connection with attacks on Caesars Entertainment and MGM Resorts, with some arrests occurring over a year after the initial incidents.
Industry-Wide Implications
The Wynn Resorts incident highlights a troubling pattern in cybercrime response. Companies facing data breaches often find themselves in a position where paying ransoms and trusting criminals' promises seems like the only viable option to protect their employees and reputation. However, this approach creates a dangerous precedent that may encourage further criminal activity.
Wynn's statement concluded by acknowledging that while no company can ever eliminate the risk of a cyberattack, it is taking appropriate steps and working with industry-leading third-party IT advisors to strengthen its systems against future incidents. This response reflects the ongoing challenge organizations face in balancing immediate damage control with long-term security improvements.
The case also underscores the sophisticated nature of modern cybercrime operations, where groups like ShinyHunters maintain complex relationships with other criminal organizations and employ advanced techniques to exploit vulnerabilities in enterprise systems. As these threats continue to evolve, organizations must develop more robust security frameworks that don't rely on the uncertain promises of those who have already demonstrated their willingness to break the law.
Comments
Please log in or register to join the discussion