Full Report
What happens in Vegas… Las Vegas hotel and casino giant Wynn Resorts appears to be the latest victim of data-grabbing and extortion gang ShinyHunters.…
Analysis Summary
# Incident Report: Wynn Resorts Data Extortion by ShinyHunters
## Executive Summary
Wynn Resorts has been targeted by the cybercrime group ShinyHunters, which claims to have exfiltrated over 800,000 sensitive employee records. The attackers are demanding a $1.5 million ransom in Bitcoin to prevent the leak of Social Security numbers and personal data. The breach reportedly originated from an Oracle PeopleSoft vulnerability combined with compromised employee credentials.
## Incident Details
- **Discovery Date:** February 20, 2026 (Public disclosure via leak site)
- **Incident Date:** September 2025 (Initial Access)
- **Affected Organization:** Wynn Resorts
- **Sector:** Hospitality / Gaming / Casino
- **Geography:** Las Vegas, Nevada,USA
## Timeline of Events
### Initial Access
- **Date/Time:** September 2025
- **Vector:** Exploitation of an Oracle PeopleSoft vulnerability.
- **Details:** Attackers utilized a vulnerability in the Oracle PeopleSoft platform alongside valid employee credentials (source of credentials—whether social engineering or insider threat—remains unconfirmed).
### Lateral Movement
- **Details:** Specific lateral movement techniques were not disclosed in the report, though the attackers successfully navigated from initial access point to sensitive HR/Payroll databases.
### Data Exfiltration/Impact
- **Date:** September 2025 – February 2026
- **Details:** Exfiltration of 800,000+ records including Full Names, Emails, Phone Numbers, Salaries, Birthdays, and Social Security Numbers (SSNs).
### Detection & Response
- **Detection:** Discovered via ShinyHunters' dark web blog post on February 20, 2026.
- **Response actions taken:** Extortionists set a deadline of February 23, 2026, for Wynn to pay 22.34 BTC (approx. $1.5M).
## Attack Methodology
- **Initial Access:** Valid Accounts / Exploit Public-Facing Application (Oracle PeopleSoft).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Use of employee credentials to access HR/Payroll systems.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Potential Social Engineering or Insider Threat (ShinyHunters has a history of soliciting insiders on Telegram).
- **Discovery:** Internal database reconnaissance for PII.
- **Lateral Movement:** Pivot from ERP software to data storage.
- **Collection:** Automated collection of employee PII.
- **Exfiltration:** Transfer of 800,000 records to attacker-controlled infrastructure.
- **Impact:** Financial Extortion and potential future "digital problems" (threatened DDoS or further disruption).
## Impact Assessment
- **Financial:** $1.5 million ransom demand (starting price).
- **Data Breach:** High volume (800,000+ records) involving sensitive SSNs and salary data.
- **Operational:** Threat of "digital problems" if payment is not met; potential for cascading outages.
- **Reputational:** High-profile mention alongside historic breaches (MGM/Caesars).
## Indicators of Compromise
- **Network indicators:** None provided in the article.
- **File indicators:** None provided in the article.
- **Behavioral indicators:** Unusual access to Oracle PeopleSoft modules; high-volume data transfers from HR databases during September 2025.
## Response Actions
- **Containment:** Internal investigation into the Oracle PeopleSoft vulnerability. (Wynn has not yet publicly commented on specific remediation steps).
- **Eradication:** Not disclosed.
- **Recovery:** Not disclosed.
## Lessons Learned
- **ERP Vulnerabilities:** Critical business applications like Oracle PeopleSoft are high-value targets and require immediate patching of known vulnerabilities.
- **Credential Security:** Even with valid credentials, Multi-Factor Authentication (MFA) or Zero Trust Architecture might have slowed the progression.
- **Insider Threat/Vishing:** The threat actor's history suggests that employee training against social engineering (and monitoring for insider solicitation) is vital in the Vegas hospitality sector.
## Recommendations
- **Patch Management:** Audit and patch all public-facing Oracle PeopleSoft instances immediately.
- **MFA Enforcement:** Implement hardware-based MFA (e.g., FIDO2) to mitigate vishing and credential theft.
- **Identity & Access Management:** Implement "Least Privilege" for HR databases to ensure a single compromised credential cannot exfiltrate the entire employee directory.
- **Monitoring:** Implement anomaly detection for large-scale data exports from enterprise resource planning (ERP) systems.