EvilCorporations.com | Corporate Accountability Reporting | Data Security
Saratoga Harness Racing, Inc. · Data Breach · 2024
Saratoga Harness Racing Exposed 20,866 People’s Social Security Numbers and IDs in a 2024 Cyberattack
A casino and harness track stored the most sensitive personal data of tens of thousands of customers and workers, then failed to protect it from hackers.
🔴 HIGH SEVERITY
TL;DR
In November 2024, an unauthorized hacker accessed computer systems at Saratoga Harness Racing, a casino and live racing venue in Saratoga Springs, New York, and stole the private information of 20,866 people. The stolen data included names, Social Security numbers, and driver’s license numbers, a combination that gives criminals everything they need to open fraudulent accounts, file fake tax returns, and destroy someone’s credit. The company held this sensitive data and failed to prevent its theft. A class action lawsuit was filed, and a settlement has been reached that offers victims up to $2,500 for documented losses, a flat $50 alternate cash payment, and one year of three-bureau credit monitoring with $1 million in identity theft insurance. Saratoga Harness Racing denies wrongdoing but agreed to pay attorneys’ fees of up to $250,000 and to implement enhanced security measures.
Over 20,000 real people now face years of identity theft risk because a company chose to collect and store their most sensitive data without adequate protection. That is unacceptable. If you were affected, claim your compensation. If you were not, demand that every business that holds your data protects it as if your financial life depends on it, because it does.
20,866
People whose data was stolen
$2,500
Max cash for documented losses
$50
Flat alternate cash payment
$250K
Max attorneys’ fees paid by defendant
$1M
Identity theft insurance per victim
1 Year
Three-bureau credit monitoring offered
Core Allegations
Core Allegations: What Happened
What Saratoga Harness Racing did, and failed to do
| 01 | Saratoga Harness Racing collected and stored the names, Social Security numbers, and driver’s license numbers of approximately 20,866 customers and employees, and an unauthorized third party accessed and exfiltrated that data in November 2024. | High |
| 02 | The company failed to implement security measures sufficient to prevent a targeted cyberattack on its systems, even though it was collecting Social Security numbers, one of the most exploitable data points a criminal can obtain. | High |
| 03 | Multiple state court class action lawsuits and one federal class action were filed against the company following the breach, all alleging similar claims on behalf of overlapping groups of victims, demonstrating the breadth of harm. | High |
| 04 | The company chose to settle without admitting liability or wrongdoing, a pattern that allows corporations to avoid accountability while victims absorb years of ongoing identity theft risk. | Med |
| 05 | Victims’ personal certifications or affidavits are explicitly not considered sufficient documentation to prove losses, placing additional burdens on people who were already harmed by the company’s failure to protect their data. | Med |
Corporate Accountability Failures
How the system let victims down again
| 01 | Saratoga Harness Racing explicitly denies any liability or wrongdoing in the settlement agreement, even as it pays to resolve a lawsuit brought by nearly 21,000 people whose most sensitive data was stolen from its systems. | High |
| 02 | No individual executive faces any personal consequence under the settlement terms. The company pays, its leadership answers to no one, and the structural incentive to under-invest in data security remains unchanged. | High |
| 03 | The security attestation Saratoga must provide to class counsel about its post-breach security improvements is explicitly marked confidential, meaning the public cannot verify whether the company has actually fixed the vulnerabilities that caused the breach. | High |
| 04 | Settlement class members who do nothing give up their right to sue the company forever, even if they later discover identity theft or fraud directly caused by this breach, foreclosing future legal remedies for ongoing harm. | High |
| 05 | The $50 flat payment offered to victims who cannot document losses is a fraction of a fraction of the real cost of identity theft, which can require hundreds of hours and thousands of dollars to resolve. | Med |
| 06 | Under the settlement’s plain terms, if unclaimed funds cannot be distributed, they revert directly to Saratoga Harness Racing, meaning the company financially benefits from low victim participation rates. | Med |
Economic Fallout
The real cost borne by victims
| 01 | Victims whose Social Security numbers were stolen face ongoing risk of tax fraud, fraudulent credit applications, fake benefit claims, and medical identity theft, harms that can persist for a decade or more after a single breach. | High |
| 02 | The documented loss reimbursement cap of $2,500 may fall far short of actual losses for victims who experience serious identity theft; the real cost of resolving a major identity theft case can exceed $13,000 per victim according to industry data. | High |
| 03 | Stolen driver’s license numbers combined with Social Security numbers give fraudsters a complete identity package enabling them to open bank accounts, obtain loans, rent apartments, and evade law enforcement in the victim’s name. | High |
| 04 | Workers whose employer-held data was stolen in this breach had no meaningful choice in whether their data was stored with Saratoga Harness Racing; they provided it as a condition of employment, making the company’s failure to protect it especially harmful. | Med |
Data Security as a Public Safety Issue
Why this breach is a threat to real lives
| 01 | Social Security number theft is not a temporary inconvenience; it is a permanent vulnerability. Unlike a stolen credit card number, a Social Security number cannot be changed, meaning victims of this breach carry elevated risk for the rest of their lives. | High |
| 02 | Dark web scanning, one of the credit monitoring benefits offered in the settlement, exists specifically because stolen Social Security numbers and identification documents are actively traded on criminal marketplaces, confirming the ongoing threat to every victim. | High |
| 03 | Medical identity theft, in which a criminal uses stolen personal data to obtain medical services or prescription drugs in the victim’s name, can corrupt a victim’s medical records with potentially life-threatening incorrect information. | High |
Timeline of Events
Nov 1, 2024
Saratoga Harness Racing discovers an unauthorized third party has accessed its computer systems and network. The breach has already occurred.
Nov 2024
A forensic investigation determines that the private information of approximately 20,866 individuals was compromised, accessed, and/or exfiltrated by the unauthorized party.
Late 2024 / Early 2025
Multiple state court class action lawsuits and one federal class action are filed against Saratoga Harness Racing. All allege similar claims on behalf of overlapping groups of victims.
May 16, 2025
A Consolidated Class Action Complaint is filed in Saratoga County, New York, combining the state court actions into a single proceeding.
August 11, 2025
Parties mediate before experienced class action mediator Bennett Picker and agree on the material terms of a settlement to resolve all claims on a class-wide basis.
August 13, 2025
Parties file a Joint Status Report and notice of settlement, requesting the court continue a stay while settlement discussions are finalized.
Oct 1–3, 2025
Settlement Agreement and Release is signed by all parties and filed with the Saratoga County Clerk. Preliminary Approval Order is submitted to the court.
2026 (pending)
Final Approval Hearing scheduled. Affected individuals must submit claims before the court-approved deadline to receive compensation.
Direct Quotes from the Legal Record
Quote 1
Scope of the breach, from the settlement agreement
Core Allegations
“Defendant determined that the Private Information of approximately 20,866 individuals was compromised, accessed, and/or exfiltrated by an unauthorized party during the Data Incident.”
💡 This is the company’s own forensic conclusion: nearly 21,000 people’s most sensitive identifying data was taken. This was not a minor glitch.
Quote 2
What data was stolen
Core Allegations
“Private Information means some combination of Settlement Class Members’ names, Social Security numbers, and driver’s license/state identification numbers.”
💡 The combination of a Social Security number and a government-issued ID number is the identity theft equivalent of a master key. These are the exact data points criminals need to assume someone’s identity entirely.
Quote 3
The company’s formal denial of responsibility
Accountability Failures
“Defendant does not in any way acknowledge, admit to, or concede any of the allegations made in the Complaint, and expressly disclaims and denies any fault or liability.”
💡 Despite agreeing to pay for victims’ losses and implement security changes, the company refuses to admit it did anything wrong. This is the corporate accountability standard: pay to make it go away, never accept responsibility.
Quote 4
Victims who do nothing lose all rights
Accountability Failures
“Any Settlement Class Member who does not timely and validly request to opt-out shall be bound by the terms of this Agreement even if that Settlement Class Member does not submit a Valid Claim.”
💡 If you were harmed and do nothing, you still lose the right to sue. Inaction does not protect victims; it protects the company. You must actively claim your compensation or actively opt out.
Quote 5
The nature of the cyberattack, from the long form notice
Core Allegations
“This case is about the targeted cyberattack on Saratoga’s computer systems that occurred in November 2024.”
💡 The word “targeted” is significant. This was not a random automated scan. A criminal deliberately went after Saratoga Harness Racing’s systems, suggesting the attacker knew valuable data was stored there.
Quote 6
Unclaimed funds revert to defendant
Accountability Failures
“In the event the Settlement Administrator is unable to distribute funds to the person or persons entitled to receive them due to incorrect or incomplete information provided to the Settlement Administrator, the funds shall revert to Defendant.”
💡 Money that victims do not claim goes back to the company that caused the harm. This is a direct financial incentive for corporations to make the claims process as difficult as possible.
Quote 7
Credit monitoring benefit details
Economic Fallout
“Dark web scanning with immediate notification of potential unauthorized use; security freezing assistance; victim assistance; $1,000,000.00 in identity theft insurance with no deductible.”
💡 The inclusion of dark web scanning confirms what everyone should understand: stolen Social Security numbers are actively sold and traded in criminal markets right now. The $1 million insurance figure is the company’s own acknowledgment of the severity of the risk.
Commentary
How serious is having your Social Security number stolen?
Extremely serious, and permanently so. Unlike a credit card number, your Social Security number is for life. A criminal with your SSN can file a fraudulent tax return and steal your refund, apply for loans and credit cards in your name, claim government benefits, seek employment using your identity, and obtain medical care that corrupts your permanent health records. Resolving a full SSN-based identity theft case can take hundreds of hours and years of credit repair. Every person affected by this breach faces elevated risk for the rest of their lives. This is not an overstatement.
Is the lawsuit legitimate, and is the settlement fair?
The lawsuit is legitimate and was filed by multiple separate legal teams in both state and federal courts. The federal case was dismissed (likely for jurisdictional reasons), and the state cases were consolidated into a single action. The settlement was reached through formal mediation and has been submitted for court approval. Whether the settlement is “fair” is more complex. The $50 flat payment is plainly inadequate relative to the real long-term risk of SSN theft. The $2,500 documented loss cap is a meaningful floor but not a ceiling on actual harm. Class action settlements in data breach cases routinely provide inadequate compensation because the legal system has not yet developed tools to value the ongoing, probabilistic harm of identity theft exposure.
Who was affected, and how do I know if I’m in the class?
The class includes all living U.S. residents whose information was potentially impacted in the November 2024 data incident at Saratoga Harness Racing, including customers and employees. This means both people who gambled at the casino or attended live racing events, and workers who provided their personal information as a condition of employment. If you received a notice from Saratoga Harness Racing about the data breach, or if you are on their customer or employee records, you may be a class member. Contact the settlement administrator using the information on the settlement website for a definitive answer.
Why didn’t the company have to admit it did anything wrong?
This is one of the most important structural failures in U.S. corporate accountability law. Companies routinely settle class action lawsuits without admitting liability. The business logic is straightforward: an admission of wrongdoing can be used in future litigation, affects insurance coverage, and creates reputational harm. So companies pay, disclaim responsibility, and move on. The victims receive modest compensation, the attorneys receive fees, and the company avoids accountability. This settlement follows the same formula. The result is a system that makes data breaches a manageable cost of doing business rather than a deterrent.
What can I do to prevent this from happening again?
Several concrete things: First, freeze your credit at all three bureaus (Equifax, Experian, TransUnion) and also at ChexSystems. This is free and prevents new accounts from being opened in your name without your knowledge. Second, use the free credit monitoring offered in this settlement if you qualify. Third, file a comment with the New York Attorney General’s office demanding stronger data security requirements for companies that collect Social Security numbers. Fourth, contact your state and federal legislators and demand mandatory minimum security standards for businesses storing sensitive personal data, with real penalties for CEOs whose companies experience preventable breaches. Fifth, when doing business with companies, ask whether they actually need your Social Security number; many requests are unnecessary. Collective pressure on lawmakers is the only structural solution.
What happens to employees whose data was stolen by their own employer?
Workers at Saratoga Harness Racing had no choice about whether their employer stored their Social Security numbers. Employers are legally required to collect SSNs for tax purposes. This means workers were compelled to hand over their most sensitive personal data to a company that then failed to protect it. The settlement covers employees as well as customers, and workers should absolutely file claims. But the deeper issue is that workers have no power over how their employers store personal data, making strong external regulation the only real protection. Employees cannot opt out of providing their SSN to their employer.
Why does the company get the money back if victims don’t claim it?
This is a deliberate feature of many data breach settlements and it deserves scrutiny. When unclaimed funds revert to the defendant rather than going to a consumer protection fund, a cy pres organization, or remaining available for late claimants, it creates a structural incentive for companies to keep the claims process difficult to navigate. Low claim rates mean lower actual costs. Courts should require that unclaimed funds in data breach settlements go to organizations that fund digital security education or identity theft victim assistance, not back to the company that caused the harm.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
