As many as 200,000 people may have had their personal information stolen in a cyberattack on servers at Ontario’s Casino Rama north of Toronto, lawyers pressing a proposed class action against the resort argued on Friday. The resort says a hacker broke into its internal computer network and stole confidential company, customer, employee and vendor information. It became aware of the attack on Nov. 4 and notified the government and customers of the breach. The resort said the hacker claimed to have accessed its IT details, hotel and casino financial reports, security incident reports, company email, customer credit inquiries, collection and debt information and vendor information and contracts. Employee information including performance reviews, payroll data, terminations and social insurance numbers was also stolen.
The class action was commenced on behalf of past and present Casino Rama employees, patrons of the casino, members of its self-exclusion program, and vendors who provided their personal information to the resort. The plaintiffs are seeking damages for negligence, breach of contract and intrusion on privacy. They allege that the privacy breach caused them loss of income, emotional distress and aggravated damages and losses.
Lawyers for the defendants argued that the class action was too broad. They alleged that only two servers were hacked and that it is unclear how the hackers gained access to the information. They also argued that the claims of those who have been victimized are exaggerated. The judge hearing the case will make a decision in June.
In a separate motion, the plaintiffs successfully argued that the company failed to put in place reasonable measures to protect its data from unauthorized access by hackers and other parties. They also alleged that the company failed to implement audit report recommendations and that this contributed to the attack.
In their motion, the plaintiffs sought to compel the defendants to produce a report from the third-party security firm Mandiant that investigated the breach immediately after it happened. Justice Glustein ruled that the defence claim of privilege was waived and that the defendants must produce the report.