A casino that generates $316 million a year (roughly what it would cost to feed 30,000 American families for an entire year) decided that encrypting your Social Security number was an expense it simply did not want to make.

What Riverside Did To 55,000 People

The Breach: A Timeline Of Corporate Failure

Riverside Resort & Casino sits on the Colorado River in Laughlin, Nevada. It runs a hotel, an RV park, eight restaurants, and entertainment venues. Approximately five million people visit per year, and the company employs more than 1,719 workers. Every one of those employees handed over their Social Security number and personal information as a condition of employment. Riverside took that information and left it sitting in an internet-accessible server, unencrypted, like a filing cabinet left unlocked on a public sidewalk.

On or before July 25, 2024, a ransomware gang found that open door and walked straight through it. Riverside says it “learned of suspicious activity” on that date. The company then spent two weeks identifying whose data had been stolen, finally pinpointing affected individuals on August 9, 2024. Riverside did not begin notifying the 55,150 people whose data was stolen until September 5, 2024, more than six weeks after the breach was discovered.

By the time those breach notification letters hit mailboxes, a ransomware gang had already claimed responsibility for the attack and was threatening to release all the stolen data publicly. The 55,000 people whose Social Security numbers were floating in criminal hands had no idea any of this was happening for over a month.

The Data Dark Web Market: What Your Identity Is Actually Worth

Your Social Security number on the dark web sells for significantly more than a stolen credit card number. A senior director at cybersecurity firm RedSeal told reporters that personally identifiable information and Social Security numbers are worth more than 10 times the price of stolen credit card data on the black market. Personal information sells for $40 to $200 per record; bank details fetch $50 to $200; and criminals can purchase access to entire company breach datasets for $900 to $4,500 (enough to wipe out a full month’s take-home pay for a minimum-wage worker).

Unlike a stolen credit card, which a victim can cancel within hours, a Social Security number cannot be cancelled. It follows you for life. The lawsuit makes this point with brutal clarity: the information stolen here is “impossible to ‘close’ and difficult, if not impossible, to change.” According to the U.S. Government Accountability Office, stolen data can sit dormant for a year or more before criminals deploy it, and the fraudulent use of that information can persist for years after that first use.

American companies spent over $19 billion (more than the GDP of a small nation) buying consumer personal data in 2018 alone. The data Riverside failed to protect is a commodity, a product with a measurable market price. Riverside collected it, profited from the labor and patronage of the people it belonged to, and then left it unguarded.

The Non-Financial Ledger

What 55,000 People Actually Lost

The dollar figures in this lawsuit are real and they are damning. But the injury Riverside Resort & Casino inflicted on its workers and guests runs deeper than any line item in a damages claim. Consider what it actually means to have your Social Security number stolen. That nine-digit number is the spine of your entire financial identity in the United States. It connects to your tax records, your credit history, your medical identity, your employment history, your government benefits. You cannot change it the way you change a password. For most victims, that number is permanently compromised. Every one of the 55,150 people affected by this breach will carry that vulnerability for the rest of their lives, not just until the 12 months of free credit monitoring Riverside offered runs out.

The named plaintiffs, Robert Dapello and Jonathan Farnam, describe lives already changed. They spent immediate, irreplaceable time verifying the legitimacy of the breach notice, monitoring their accounts, changing login credentials, and researching identity theft protection services. That time is gone. It cannot be billed back to Riverside. The lawsuit describes how these individuals now scrutinize every phone call, every email, every financial statement, looking for signs that someone has stolen their identity. That is not inconvenience. That is the permanent installation of a low-grade anxiety into the daily fabric of life. The complaint explicitly names “anxiety, emotional distress, and loss of privacy” as direct and proximate injuries caused by Riverside’s negligence.

The source material notes that Riverside employed more than 1,719 people. Those employees did not choose to hand their Social Security numbers to a company with lax cybersecurity. They did it because employment in the United States requires it. Their employer collected that information as a condition of the job, held a legal duty to protect it, and then failed to implement the most basic available protection: encryption. The workers who serve drinks, clean hotel rooms, maintain the RV park, and staff the casino floor at Riverside did not sign up to have their identities sold on the dark web. They signed up for a paycheck.

The sense of betrayal embedded in this case runs through a power imbalance that is entirely typical of the corporation-versus-worker relationship. Riverside had full knowledge of the sensitivity of the data it held, the complaint states. The company knew the cybersecurity threat landscape. Public warnings from federal agencies, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency, were publicly available and directly applicable. Ransomware gangs were, as the complaint documents, openly targeting large companies, leaking data on dark web portals, tipping off journalists, and threatening victims. Riverside read none of it, or read all of it and chose to do nothing. The lawsuit describes Riverside’s conduct as “intentional, willful, reckless, or negligent.” The data breach was predictable. The failure to encrypt was a choice. And that choice now belongs, permanently, to 55,000 people who made no choice at all.

Legal Receipts: The Words They Cannot Take Back

Direct From The Complaint

The Timeline: How Long Riverside Left You In The Dark

Societal Impact Mapping

Public Health: Identity Theft Is A Health Crisis

The FTC explicitly warns that identity thieves use stolen Social Security numbers to receive medical treatment in a victim’s name. This is called medical identity theft, and it is one of the most dangerous downstream consequences of a breach like this one. When a criminal uses your Social Security number to access healthcare, they create medical records in your name. Those records can contain the wrong blood type, wrong allergies, wrong diagnoses. In a genuine medical emergency, a doctor treating you could be reading a corrupted file that belongs to a criminal. The lawsuit directly lists “medical fraud” among the anticipated harms facing the 55,150 victims of this breach.

The complaint documents that identity thieves may also obtain government benefits, file fraudulent tax returns, obtain jobs, and rent housing using stolen Social Security numbers. These are survival-level resources. When a criminal drains your government benefits, you lose food, housing assistance, or disability income. The injury scales with how economically vulnerable the victim already is. The workers at a Laughlin, Nevada casino, many of whom earn hourly wages in one of the most economically distressed regions of the American Southwest, are precisely the population least equipped to absorb the cascading costs of identity theft: monitoring services, credit freezes, legal fees, lost productivity, and the emotional toll of years of financial vigilance.

The complaint cites data showing that identity fraud reports nearly doubled between 2017 and 2021, rising from 2.9 million to 5.7 million reports per year. Riverside’s breach did not happen in isolation. It contributes to a national epidemic that systematically grinds down the financial health of working-class Americans while corporations like Riverside pocket the savings from skipping security investments. Anxiety and emotional distress, named explicitly in the lawsuit as damages, are legitimate public health injuries. They compound over time. They do not resolve when the 12-month credit monitoring subscription expires.

Economic Inequality: The Workers Paid Twice

The unjust enrichment count in this lawsuit lays out the economic logic of corporate data negligence with unusual clarity. Riverside collected money from the people who worked there and the guests who patronized the resort. It owed those people, as part of the implied exchange, reasonable data security. Instead, Riverside pocketed the money it should have spent on security. The people who trusted Riverside paid the price in identity exposure. Riverside kept the profit. The workers paid once in labor and once in risk.

The complaint notes that Riverside generates $316 million in annual revenue (more than the total annual income of roughly 6,000 median-wage American workers). The cybersecurity measures the U.S. government recommends, including spam filters, multi-factor authentication, encrypted data storage, firewall configuration, and basic staff training, are not exotic or experimental technologies. They are standard practices. The FBI guide cited in the lawsuit describes prevention as “the most effective defense against ransomware.” These measures cost money, but nowhere near $316 million. Riverside chose not to spend that money. That decision is the economic inequality story: a corporation with hundreds of millions in revenue transferred its security risk onto 55,000 workers and guests who had no power to protect themselves.

The class action structure itself is a window into this power imbalance. The complaint acknowledges that most individual class members could not afford to litigate a complex data breach claim against a large corporation. Riverside’s financial and legal resources vastly exceed those of any single affected individual. The only way to hold a company like Riverside accountable is collectively. That is exactly why class action law exists, and exactly why corporations lobby against it.

The “Cost of a Life” Metric

Riverside’s Profit From Skipping Security