[BreachExchange] Class-action lawsuit launched against TransLink for data breach in December

Destry Winant destry at riskbasedsecurity.com
Wed Jan 27 10:53:18 EST 2021


https://vancouversun.com/news/local-news/class-action-lawsuit-launched-against-translink-for-data-breach-in-december?r

A class-action lawsuit has been launched against TransLink to
compensate employees and retirees, and possibly others, affected by a
huge ransomware data breach in December.

TransLink is named as the sole defendant in the notice of civil claim
filed in B.C. Supreme Court alleging a data breach in early December
“resulting in the loss, theft or compromise of highly sensitive
personal information” of its employees “and other stakeholders.”

The information included “extremely sensitive and highly valuable
banking information,” the claim alleges.

The plaintiff is a retired employee living in B.C. and identified only
as G.D. Lawyer Sajjad Nematollahi said his full identity is hidden to
protect his privacy, which he said is allowed by law. G.D. was not
available for an interview.

The claim said G.D. believes his and others’ personal information was
compromised by the breach, which resulted in “damage and losses” as
well as the “risk of significant harm to their property, finances,
creditworthiness, reputation and relationships.”

The damages and losses aren’t specified in the claim. It says the
action “seeks to recover compensation” through a list of different
types of damages, including punitive.

The action alleges that TransLink “violated its duty to safeguard the
class members’ personal information.”

TransLInk’s “actions and omissions and its breaches of duty were
carried out knowingly or recklessly,” it said.

And G.D. is “extremely concerned about the lack of meaningful
communication on the part of TransLink” about the breach, it said.

“The plaintiff has incurred significant damages and losses” and has
gone through “significant inconvenience,” trying to get more
information from TransLink about the breach so he can further protect
himself, it alleged.

“This (lawsuit) is on behalf of people who have been victims of data
breaches, which is very, very serious,” said Nematollahi from KND
Complex Litigation in Toronto. “I have had my personal information
breached and it is a horrible feeling to have your privacy violated
and you’re left wondering in what way they’re going to use it.”

“It gives a voice to other people who don’t have the means to pursue
their rights,” he said.

He said TransLink hasn’t responded to the claim — it has 21 days after
being served — and he couldn’t say how many class members the suit
will eventually represent or if it would include transit users.

“These types of ransomware and cyberattack incidents in Canada and
North America are increasing,” he said. “Those incidents are on the
rise.”

“They’re very serious,” he said. “They (companies and corporations)
need to do better to protect information from third-party attacks and
thefts.”

The filing of a class-action lawsuit “makes sure the situation is
addressed and encourages better cybersecurity practices” at TransLink
and elsewhere, said Nematollahi.

None of the allegations have been proven in court.

“We had many security measures in place to secure the information of
our past and present employees and customers” and continue to work on
security, said an email from aTransLink spokesman who didn’t want to
be named.

He said TransLink “proactively disclosed suspicious activity on our
network” within hours and has since “disclosed as much accurate
information as we can to keep people informed … in an ongoing forensic
and police investigation.”

The company said it wouldn’t comment more specifically because the
case is before the courts.

In early December, TransLink issued a social media alert about what it
later called “suspicious network activity” and later still confirmed
was a ransomware attack. The CEO about a month later said it acted
within hours of it learning of the attack.

The first step for the action is to have it certified as a class
action in the courts.


More information about the BreachExchange mailing list