Dotty’s Parent Company Suffers Malware Data Breach

The parent company of a popular Las Vegas chain of slot parlors (sorry, taverns), Dotty’s, was the subject of a malware attack and a subsequent data breach.

Nevada Restaurant Services, Inc. (NRS), sent notices to customers affected by the data breach informing them compromised information included dates of birth and drivers licenses.

Dotty's data breach
In “Mission Impossible” terms, the Dotty’s NOC list could be out in the open.

Letters to customers stated, “In January 2021, NRS identified the presence of malware on certain computer systems in our environment. We immediately commenced an investigation to determine the full nature and scope of the incident and to secure our network.”

Nothing says “It’s time to secure our network” like a data breach!

The missive continues, “Through this investigation, we determined that, in connection to the malware event, an unauthorized person accessed certain systems within our network. The investigation determined that the unauthorized person copied certain information from these systems on or before January 16, 2021.”

The communication didn’t directly address whether or not the data of Dotty’s customers was involved in the breach. There are about 120 Dotty’s locations in Nevada.

The Founder and Chairman of NRS is Craig Estey.

NRS also operates Bourbon Street Sports Bars, Hoover Dam Lodge, Laughlin River Lodge, La Villita Casino and Red Dragon taverns and hotels.

In its communication with customers about the data breach, NRS said, “We have security measures in place to protect the information in our care, and we have worked to add further technical safeguards to our environment. As an added precaution, we are also offering you complimentary access to 12 months of credit monitoring and identity theft restoration services, through IDX.”

IDX refers to IDX Data Breach Response & Identity Protection Services, a third party that company’s hand such scandals over to.

We called IDX, but were placed on hold for 30 minutes and never got through. The hold message said the company is experiencing a “higher than normal call volume.” No kidding.

Dotty’s reportedly has about 300,000 customers in its player database. And that’s just Dotty’s.

We reached out to Nevada Restaurant Services and were told the company had no additional information, and calling IDX was the only contact option.

Dotty's jackpot
We enjoyed our May 2021 visit to Dotty’s, especially because we weren’t in the Dotty’s database until May 2021.

Big thanks to Twitter follower Zach D. for tipping us off to this story.

Why hasn’t there been any media coverage about this data breach? Well, let’s just say companies involved in such security breaches don’t publicize the fallout of such “malware events.”

For example, UMC Medical center recently experienced a ransomware attack, and we had to repeatedly nudge local media before they finally followed up and reported the story.

Deep sigh.

People have a right to know if their confidential information has been compromised, and not just those the company is legally required to notify. Doing the least required by law has never been a great reputation management strategy.

We feel for businesses whose systems are attacked or breached, but addressing security vulnerabilities after a breach is too little, too late for customers.