Dotty’s Parent Company Suffers Malware Data Breach

The parent company of a popular Las Vegas chain of slot parlors (sorry, taverns), Dotty’s, was the subject of a malware attack and a subsequent data breach.

Nevada Restaurant Services, Inc. (NRS), sent notices to customers affected by the data breach informing them compromised information included dates of birth and drivers licenses.

Dotty's data breach

In “Mission Impossible” terms, the Dotty’s NOC list could be out in the open.

Letters to customers stated, “In January 2021, NRS identified the presence of malware on certain computer systems in our environment. We immediately commenced an investigation to determine the full nature and scope of the incident and to secure our network.”

Nothing says “It’s time to secure our network” like a data breach!

The missive continues, “Through this investigation, we determined that, in connection to the malware event, an unauthorized person accessed certain systems within our network. The investigation determined that the unauthorized person copied certain information from these systems on or before January 16, 2021.”

The communication didn’t directly address whether or not the data of Dotty’s customers was involved in the breach. There are about 120 Dotty’s locations in Nevada.

The Founder and Chairman of NRS is Craig Estey.

NRS also operates Bourbon Street Sports Bars, Hoover Dam Lodge, Laughlin River Lodge, La Villita Casino and Red Dragon taverns and hotels.

In its communication with customers about the data breach, NRS said, “We have security measures in place to protect the information in our care, and we have worked to add further technical safeguards to our environment. As an added precaution, we are also offering you complimentary access to 12 months of credit monitoring and identity theft restoration services, through IDX.”

IDX refers to IDX Data Breach Response & Identity Protection Services, a third party that company’s hand such scandals over to.

We called IDX, but were placed on hold for 30 minutes and never got through. The hold message said the company is experiencing a “higher than normal call volume.” No kidding.

Dotty’s reportedly has about 300,000 customers in its player database. And that’s just Dotty’s.

We reached out to Nevada Restaurant Services and were told the company had no additional information, and calling IDX was the only contact option.

Dotty's jackpot

We enjoyed our May 2021 visit to Dotty’s, especially because we weren’t in the Dotty’s database until May 2021.

Big thanks to Twitter follower Zach D. for tipping us off to this story.

Why hasn’t there been any media coverage about this data breach? Well, let’s just say companies involved in such security breaches don’t publicize the fallout of such “malware events.”

For example, UMC Medical center recently experienced a ransomware attack, and we had to repeatedly nudge local media before they finally followed up and reported the story.

Deep sigh.

People have a right to know if their confidential information has been compromised, and not just those the company is legally required to notify. Doing the least required by law has never been a great reputation management strategy.

We feel for businesses whose systems are attacked or breached, but addressing security vulnerabilities after a breach is too little, too late for customers.

9 thoughts on “Dotty’s Parent Company Suffers Malware Data Breach

  1. Christine

    I just received that same letter in the mail, though mine is slightly different. After the last paragraph you mentioned where they said “the unauthorized person copied certain information from these systems on or before Jan 16, 21…”
    My letter goes on to say:
    ” We conducted a thorough review of the affected data to determine what types of information was there and to whom it related. On June 1st 2021, our review determined that your personal information was affected by this incident. This information included your date of birth, driver’s license, and your name.”
    They Sent letters out to everyone, but only elaborated to those whose personal information was actually compromised. I guess that I, unfortunately, am one of those people. 🤦‍♀️

  2. W Lynn Black

    My husband and I both received letters we changed drivers license state recently so I guess they don’t have up to date info! Heck I didn’t even know who Nevada Restaurant Services were. I thought letter might be bogus since IDX never answered or called me back.

    1. Scott Roeben Post author

      Thanks for the information. I trust traditional media will dive into this now, and Dotty’s will be forced to answer awkward questions.

  3. Rick

    You can assume the entire database of all customers who signed up for a players card has been copied and sold on the dark web. That means your drivers license which includes your address and date of birth and anything else listed on the players club location. If you won a jackpot at some point i would also presume that your social security number is also in that database.

    1. Michael Alexakis

      You can “assume”, “presume”, predict doom, gloom, lock yourself in a padded room… Millions of people have had their personal information on databases that have been hacked or compromised, and a very small percentage of them have had something stolen. Plenty of people who sign up for a players card from this company have no assets to steal. Cybersecurity is a hot and very significant issue, people should be warned when their data get breached, companies need to do way better protecting consumers. But just because your info was compromised does not mean you are or will be a crime victim. Keep an eye on your finances, as you should always do…

  4. Charlee Smith

    My letter says my name, date of birth, Driver’s license, and social security number were affected by this!! Is there some sort of lawsuit yet?


Leave a Reply

Your email address will not be published. Required fields are marked *