Judge Asked to Consider $60 Million Class-Action Lawsuit Over Casino Rama Cyber Attack

Posted on: March 29, 2019, 04:14h. 

Last updated on: March 29, 2019, 04:14h.

Lawyers for Casino Rama in Orillia, Ontario at a Superior Court hearing on Thursday denied that as many as 200,000 people had been affected by a hacker who breached its servers in 2016 and stole sensitive customer information — they put the figure at 10,000 to 11,000, the Canadian Press reports.

Casino Rama
The Casino Rama was hit by a cyber attack in November 2016 that saw the personal information of nearly 11,000 customers leaked online, but did the unknown hacker actually steal the private data of tens of thousands more people? (Image: Casino Rama)

A judge said a decision on whether to allow a proposed class-action lawsuit that seeks $60 million in damages from the casino — which is owned by the Chippewas of Rama First Nation — could be expected in May.

It was the first time representatives of the casino had given any indication of the number of victims of the cyberattack, which resulted in the publication private information — including names, addresses, credit files, gambling losses, income and place of employment — of 10,900 people.

Some of the victims had been part of the casino’s voluntary self-exclusion program.

The hacker dumped 4.5 gigabytes of data, or 14,000 files, into the public domain, but claimed to have stolen much more and threatened to release 150 gigabytes.

Full Extent of Breach Unclear

The casino’s reluctance to talk numbers has come back to bite it, as it now seeks to limit the number of people that could potentially join the suit, if it is allowed to proceed.

The plaintiffs note the hacker’s claim to have thousands of additional files and that the casino sent notifications to tens of thousands of people not ten thousand after the attack, warning them their personal details may have been compromised.

Cathy Beagan-Flood, representing the casino, said this was merely a precaution and the casino should not be punished for its transparency.

But the plaintiffs argue the casino has not been transparent at all.

“The specifics of when the hacker infiltrated Casino Rama’s network, how the hacker infiltrated Casino Rama’s network and servers, and the full extent of the data stolen by the hacker, were not released by Casino Rama, and are unknown to the plaintiffs,” says the filing.

‘Inadequate’ Security

Lawyer for the plaintiffs, Ted Charney, cited a report from Ontario’s privacy commissioner that concluded the casino did not have “reasonable security measures in place to prevent unauthorized access to records of personal information,” and that it had failed to effectively investigate an attack on one server, before the hacker struck again on a second server.

Charney argued the alleged negligence warrants a broader class definition for the suit: “Thank goodness we now have the commissioner’s report,” he said. “We have evidence now that a substantial number of patrons had data on the two servers. There’s some basis in fact that their information wasn’t adequately protected.”