🏳️‍⚧️ trans rights are human rights 🏳️‍⚧️
Theme

Wynn Resorts Took Your Social Security Number. Then Promptly Lost It.

Investigation: Corporate Data Negligence

Wynn Resorts Let ShinyHunters Steal 800,000 Social Security Numbers

Filed in U.S. District Court, District of Nevada • Case No. 2:26-cv-00482 • Class Action Complaint Filed February 21, 2026

The Non-Financial Ledger: What 800,000 People Actually Lost

Forget the dollar figures for a moment. Before the lawyers calculate damages and before the settlement talks begin, there are 800,000 people whose mornings are now different. They wake up and check their bank accounts before they check their messages. They get a spam call and wonder if this is the one. They try to file their taxes and get rejected because someone already filed using their identity. They apply for a job and find out a fraudulent loan is dragging down their credit. They call their bank and get put on hold for an hour to explain something that was not their fault.

One of the named plaintiffs, Joseph Foschi, received Wynn’s notice letter dated November 14, 2025. That letter told him his name and Social Security number had been taken. It told him to monitor his credit. It offered him 24 months of a monitoring service and then went quiet on every question that actually mattered: how it happened, who did it, whether Wynn had even stopped the threat. Foschi now carries fear, anxiety, and stress, compounded specifically by the fact that Wynn still has not told him the full story. That is not a legal abstraction. That is a person lying awake at night with a question a corporation refuses to answer.

The U.S. Government Accountability Office has documented that stolen data can sit dormant for over a year before being weaponized. Law enforcement has confirmed thieves sometimes hold information for more than twelve months before using it to commit identity theft. That means every one of these 800,000 people is now living inside an indeterminate waiting period. The fraud might not appear for months. It might not appear for years. It might show up as a debt collector’s call about a loan they never took out. It might be a letter from the IRS. It might be a credit denial for a mortgage they saved years to afford.

A Social Security number cannot be cancelled. It cannot be changed with a phone call. It is the foundational credential of financial identity in the United States, baked into banking processes, woven into tax systems, and used as the gold standard for verifying identity across almost every institution that matters. The people whose numbers are now in the possession of ShinyHunters and whoever buys those records next did not consent to this risk. They handed their information to Wynn because Wynn required it. The company collected it, profited from it, and then failed to protect it with even the most basic safeguard: encryption.

This is what it means when a corporation decides that cheaper security is worth it. The cost savings stay on Wynn’s books. The consequences live in the bodies and bank accounts of 800,000 people for the rest of their lives.

“The present and continuing risk of identity theft and fraud to victims of the Data Breach will remain for their respective lifetimes.”

Legal Receipts: What the Complaint Actually Says

These are direct quotes from the class action complaint filed February 21, 2026, in the U.S. District Court for the District of Nevada. Every quote is from the source document.

“Defendant failed to adequately protect Plaintiff’s and Class Members’ Private Information—and failed to even encrypt or redact this highly sensitive information. This unencrypted, unredacted Private Information was compromised due to Defendant’s negligent and/or careless acts and omissions and its utter failure to protect Plaintiff’s and Class Members’ sensitive data.”
Class Action Complaint, Para. 5 — Case 2:26-cv-00482
  • This paragraph establishes the core failure: Wynn did not use encryption. Encryption is a standard, well-documented, widely available security tool. The complaint’s use of the word “even” signals that encryption is not a sophisticated requirement; it is the floor, and Wynn did not meet it.
  • The phrase “utter failure” is legally significant. It signals the complaint is building toward a finding of recklessness, which carries heavier damages exposure than ordinary negligence.
“Omitted from the Notice Letter were the identity of the cybercriminals who perpetrated this Data Breach, the details of the root cause of the Data Breach, the vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not occur again. To date, these critical facts have not been explained or clarified to Plaintiff and Class Members.”
Class Action Complaint, Para. 29 — Case 2:26-cv-00482
  • Wynn’s notice letter withheld four categories of information that victims need to protect themselves: who did it, how it happened, what weakness was exploited, and what Wynn actually fixed. Without this, victims cannot know whether the threat is still active.
  • The complaint explicitly frames this omission as a second injury layered on top of the breach itself. Inadequate notice is treated as its own independent harm, worsening victims’ ability to mitigate damage.
“Defendant enriched itself by saving the costs it reasonably should have expended on data security measures to secure Plaintiff’s and Class Members’ Personal Information. Instead of providing a reasonable level of security that would have prevented the hacking incident, Defendant instead calculated to increase its own profit at the expense of Plaintiff and Class Members by utilizing cheaper, ineffective security measures and diverting those funds to its own profit.”
Class Action Complaint, Para. 200 — Case 2:26-cv-00482
  • This is the unjust enrichment theory in plain language: Wynn made a financial decision. It weighed the cost of proper security against the cost of skipping it and chose to skip it. The money saved went to profit. The risk was transferred to customers.
  • This framing is important because it removes the possibility of a “we just didn’t know” defense. The complaint characterizes inadequate security as a calculated financial decision, which requires courts to look at corporate intent alongside corporate negligence.
“Defendant’s offering of credit and identity monitoring establishes that Plaintiff and Class Members’ sensitive Private Information was in fact affected, accessed, compromised, and exfiltrated from Defendant’s computer systems.”
Class Action Complaint, Para. 58 — Case 2:26-cv-00482
  • This is Wynn’s own action being used as an admission. By offering identity monitoring, Wynn confirmed the breach was real and that customers’ data was taken. The complaint uses this as evidence against any future corporate attempt to minimize or dispute the scope of the breach.
“The retail cost of credit monitoring and identity theft monitoring can cost around $200 a year per Class Member. This is reasonable and necessary cost to monitor to protect Class Members from the risk of identity theft that arose from Defendant’s Data Breach.”
Class Action Complaint, Para. 117 — Case 2:26-cv-00482
  • At $200 per year per victim across 800,000 people, ongoing monitoring costs the class $160,000,000 per year. Wynn’s 24-month offer covers two years, then stops. The complaint argues victims will need this protection indefinitely, turning the lifetime cost per victim into a significant economic harm that was entirely preventable.

“Defendant was, or should have been, fully aware of the unique type and the significant volume of data on Defendant’s server(s), amounting to several individuals’ detailed, Private Information.”

The Scale in Numbers

The following visualization maps the documented scale of this breach against context drawn directly from the complaint’s factual allegations.

Breach Scale Comparison: Records Stolen (Millions) Source: Class Action Complaint Para. 3, 50-51 0 10M 20M 30M 40M Records Stolen 0.8M Wynn 2026 (SSNs + DOB) 37M T-Mobile 2023 20M 23andMe 2023 1.4M Wilton Re. 2023 1M NCB Mgmt. 2023 Note: Wynn breach volume lower than peers, but data type (SSNs) makes it more severe. Source: Complaint Para. 50-51.
800,000 Records confirmed stolen by ShinyHunters on Feb 20, 2026
3,205 Total data compromises recorded in 2023 alone (all-time high)
$200/yr Annual cost of identity monitoring per victim after Wynn’s offer expires
10x+ Premium SSNs command over credit card data on dark web markets

Societal Impact Mapping

Environmental Degradation

The source document contains no documented environmental harms. This sub-section is not applicable to this investigation.

Public Health

Financial identity theft has documented links to psychological and physical health outcomes. The complaint captures several of these harms directly.

  • Named plaintiff Joseph Foschi is documented as suffering fear, anxiety, and stress as a direct, named result of the breach. These are not speculative harms; they are pleaded as concrete injuries in the complaint at Para. 128.
  • Identity theft victims are forced to spend significant unpaid hours freezing credit, filing fraud alerts, contacting bureaus, reviewing accounts, and disputing charges. The complaint notes this time “has been lost forever and cannot be recaptured,” a permanent deprivation of a non-renewable resource that compounds stress and disrupts daily life.
  • The GAO has documented that victims of identity theft face “substantial costs and time to repair the damage to their good name and credit record.” Research cited in the complaint confirms this process can stretch over years, producing chronic, long-term psychological burden on affected individuals.
  • Fraud enabled by stolen SSNs extends into medical identity theft, where criminals can obtain medical services under a victim’s name, corrupting medical records and potentially resulting in incorrect treatment being administered to the actual victim in an emergency.

Economic Inequality

The economic consequences of this breach fall hardest on people with the least capacity to absorb them, a structural feature of corporate data negligence that the complaint documents in detail.

  • After Wynn’s 24-month monitoring offer expires, victims who cannot afford $200 per year for continued monitoring will be left exposed. Wealthier victims can pay for continued protection; lower-income victims cannot. The harm compounds along pre-existing economic lines.
  • Criminals construct “Fullz” packages by combining stolen SSNs with publicly available data, assembling complete identity dossiers that are then sold and resold indefinitely on dark web markets. A victim whose SSN was taken at Wynn can have that exposure leveraged against them by multiple criminal actors for years, each transaction generating profit for criminals at the victim’s expense.
  • SSNs enable criminals to file false tax returns, open fraudulent bank accounts, take out loans, and file unemployment claims in victims’ names. For working-class victims, a rejected tax return or a denied unemployment claim during a period of financial need can produce an acute economic crisis with no fast resolution.
  • The complaint documents that stolen Personal Information sells for $40 to $200 per record individually and $900 to $4,500 per company breach dataset. Cybercriminals profited directly from Wynn’s negligence. The economic extraction flows from victims’ futures to criminals’ accounts, with Wynn as the unlocked door.
  • The complaint notes that the data brokering industry was worth roughly $200 billion in 2019. Wynn’s customers’ information now circulates in both the legitimate data economy and the criminal one without the customers’ consent and without any compensation to them.
  • Individual class members cannot afford to sue Wynn alone. The complaint explicitly argues that without a class action, Wynn’s “superior financial and legal resources” would “overwhelm the limited resources of each individual Class Member.” The structural economic asymmetry between a Las Vegas casino operator and a single breach victim is not incidental; it is the mechanism that makes corporate negligence profitable.

“Sensitive Private Information can sell for as much as $363 per record. Compared to credit card information, personally identifiable information and Social Security numbers are worth more than 10x on the black market.”

The “Cost of a Life” Metric

$0
The amount Wynn Resorts invested in encrypting 800,000 Social Security numbers before ShinyHunters took them. The complaint alleges the company chose cheaper security and diverted the difference to profit.
Source: Class Action Complaint, Para. 200 — “Defendant calculated to increase its own profit…by utilizing cheaper, ineffective security measures and diverting those funds to its own profit.”
$160M/yr Estimated annual cost for 800,000 victims to monitor their own identities at $200/yr each, a cost Wynn’s negligence created and left on victims’ books
Lifetime Duration of risk exposure for every victim. A Social Security number cannot be cancelled. There is no end date to this harm.
$5M+ Minimum amount in controversy as stated in federal jurisdiction filing; actual damages exposure across 800,000 victims is substantially higher
24 mo. Wynn’s offered remedy. The complaint calls this “wholly inadequate” given that fraud from this breach may not surface for years.

What Now?

The class action was filed February 21, 2026. Here is what you can do right now if your data was in this breach, and who you should be pressuring to take action.

Corporate Accountability: Key Defendant

  • Wynn Resorts Limited, Principal address: 3131 Las Vegas Blvd. South, Las Vegas, NV 89109. Represented in this suit by its corporate structure. The complaint names no individual executives from source material; hold the corporation and its board accountable by name through public pressure and regulatory contact.

Regulatory Watchlist

  • Federal Trade Commission (FTC): The complaint cites Section 5 of the FTC Act as the primary federal standard Wynn violated. The FTC has pursued over 50 enforcement actions against companies for failing to protect consumer data. File a complaint at ftc.gov/complaint referencing Wynn Resorts and the February 2026 breach.
  • Nevada Attorney General: Wynn is a Nevada corporation. State AGs have data breach notification enforcement authority. Contact the Nevada AG’s Consumer Protection Division to report the inadequate breach notification Wynn sent to victims.
  • U.S. Securities and Exchange Commission (SEC): Wynn Resorts is a publicly traded company. Failure to disclose material cybersecurity incidents or risks to shareholders is an SEC matter. File a tip at sec.gov/tcr.
  • Consumer Financial Protection Bureau (CFPB): If fraud from this breach results in unauthorized financial account activity, bank fraud, or fraudulent loans, file with the CFPB at consumerfinance.gov/complaint.
  • FBI Internet Crime Complaint Center (IC3): ShinyHunters is named in the complaint as the threat actor. Report cybercrime victimization from this breach at ic3.gov.

Protect Yourself Right Now

  • Freeze your credit immediately at all three bureaus: Equifax, Experian, and TransUnion. A credit freeze is free and blocks new accounts from being opened in your name. This is the single most effective action you can take.
  • Place a fraud alert with one bureau (they notify the others). Consider an extended seven-year fraud alert if you suspect your identity has already been used.
  • File your taxes early every year. Tax fraud is one of the most common uses of stolen SSNs. Filing first blocks criminals from filing a fraudulent return in your name first.
  • Document every hour you spend on mitigation: account monitoring, bureau calls, fraud disputes, credit freezes. The complaint specifically argues lost time is a compensable injury. Keep records in case you are part of the class action settlement.

Community and Mutual Aid

  • Connect with local consumer protection legal aid organizations in your area. If you received a Wynn breach notification letter, you may be a class member and may not need to pay for representation to participate in this lawsuit. Freedom Law Firm is listed as counsel for plaintiffs at (702) 880-5554.
  • Share the breach notification letter with neighbors, community members, and anyone in your network who may have been a Wynn customer. Many victims do not open official mail carefully or know what action to take. Peer-to-peer information distribution closes the gap that corporate opacity created.
  • Organize locally around data privacy legislation. Push your state representatives for mandatory encryption requirements, meaningful breach notification standards with teeth, and legislation that holds corporate officers personally liable for data negligence. Nevada, where Wynn is based, is a direct target for state-level action.

The source document for this investigation is attached below.

Reed v Natalie Wynn Resorts Class Action Data BreachDownload

Explore by category

01

Antitrust

Monopolies and anti-competition tactics used to crush rivals.

View Cases →
02

Product Safety Violations

When companies sell dangerous goods, consumers pay the price.

View Cases →
03

Environmental Violations

Pollution, ecological collapse, and unchecked greed.

View Cases →
04

Labor Exploitation

Wage theft, worker abuse, and unsafe conditions.

View Cases →
05

Data Breaches & Privacy

Misuse and mishandling of personal information.

View Cases →
06

Financial Fraud & Corruption

Lies, scams, and executive impunity that distort markets.

View Cases →
07

Intellectual Property

IP theft that punishes originality and rewards copying.

View Cases →
08

Misleading Marketing

False claims that waste money and bury critical safety info.

View Cases →
Post Views: 97

Related posts:

JP Morgan Chase evil corporationHow J.P. Morgan Chase’s Data Breach Exposed Its Workers grubhub logo evil corporationGrubHub Data Breach Exposes Corporate Negligence on a Massive Scale Lockton Companies Logo1 Million People Had Their Medical Records Stolen From Lockton Companies globe life insuranceGlobe Life exposed 532,578 customers’ SSNs and health records. Then waited 5+ months to tell them.
Aleeia
Aleeia

I'm Aleeia, the creator of this website.

I have 6+ years of experience as an independent researcher covering corporate misconduct, sourced from legal documents, regulatory filings, and professional legal databases.

My background includes a Supply Chain Management degree from Michigan State University's Eli Broad College of Business, and years working inside the industries I now cover.

Every post on this site was either written or personally reviewed and edited by me before publication.

Learn more about my research standards and editorial process by visiting my About page

Articles: 1804