[BreachExchange] Cyber attack in Canada spawns $60 million lawsuit

Tue Apr 2 09:21:55 EDT 2019

https://www.canadianunderwriter.ca/risk/cyber-attack-in-canada-spawns-60-million-lawsuit-1004161386/

As many as 200,000 people may have had their personal information
stolen in a hack on servers at one of Ontario’s most popular casinos,
a lawyer for the plaintiffs pressing a proposed class action argued on
Thursday.

However, a lawyer for Casino Rama countered that, at most, 10,000 to
11,000 people were victimized and the plaintiffs’ definition of who
should be included in the proposed class action was far too broad.

The case arose in November 2016 when Casino Rama announced it had been
victim of a cyberattack in which a large quantity of sensitive
personal information had been stolen. The attacker, who apparently
gained access through a phishing scam, posted the information –
including names, addresses, credit files, gambling losses, income and
place of employment – of about 10,900 people publicly on Nov. 11,
2016.

In all, the hacker published about 4.5 gigabytes of information, or
14,000 files, while threatening to release a further 150 gigabytes of
data.

Cathy Beagan-Flood, lawyer for the defendants, said the casino sent
notices of the attack to tens of thousands of people as a precaution,
not because their information had necessarily been compromised. The
casino, she said, should not be punished for being a “good corporate
citizen” and transparent in dealing with the hack.

In their statement of claim, the plaintiffs allege negligence, breach
of contract, and intrusion on privacy among other things. They seek
$60 million in compensation for damage to reputation, mental distress
and costs incurred in dealing with the fallout of the hack.

“The specifics of when the hacker infiltrated Casino Rama’s network,
how the hacker infiltrated Casino Rama’s network and servers, and the
full extent of the data stolen by the hacker, were not released by
Casino Rama, and are unknown to the plaintiffs,” the statement of
claim asserts.

What is known, their lawyer Ted Charney told the court on Thursday, is
that two casino servers were hacked even if the number of people and
what information was on those servers has not been disclosed.

However, the plaintiffs allege, victims include past and present
patrons, people who were part of a voluntary gambling-exclusion
program, past and present casino employees, and vendors.

In urging a broader class definition, Charney leaned on new evidence:
a report from Ontario’s privacy commissioner released at the end of
January. In her report, a commission investigator concluded the
casino’s security measures were insufficient and that it had failed to
investigate the initial intrusion effectively.

“(Casino Rama) did not have reasonable security measures in place to
prevent unauthorized access to records of personal information,” the
report concluded.

Charney argued the report bolstered his push for a bigger class, even
if it was not clear exactly how many people were affected by the hack.

“Thank goodness we now have the commissioner’s report,” Charney said.
“We have evidence now that a substantial number of patrons had data on
the two servers. There’s some basis in fact that their information
wasn’t adequately protected.”

For her part, Beagan-Flood said the privacy commission’s report should
receive little or no weight. The information of many patrons was
stored on servers that could not have been hacked, she said.

“The (privacy commissioner) did not have all of the information,”
Beagan-Flood said. “The evidence is that the non-Windows servers would
not have been vulnerable.”

Superior Court Justice Edward Belobaba made it clear he wasn’t
interested in arguments on the merits of the unproven action. Instead,
he said, he wanted to focus on whether evidence existed that could
support a class action and who would be in the class.

He said he would likely have a certification decision in May.