A cyber-attack at Casino Rama in Ontario three years ago resulted in the personal data of a large number of gamblers being stolen. The extent of the damage has still not been ascertained, but it has been enough to warrant the filing of a class-action lawsuit against the popular casino.
Lawyers for the plaintiffs in the case argue that the personal information of up to 200,000 people had been compromised through the attack, which had occurred through a phishing scam. In November 2016, the attacker(s) posted personal data of around 10,900 people, showing their names, addresses, gambling losses, income, places of employment and credit files.
The culprits ultimately released around 4.5 gigabytes (GB) of data, which amounted to around 14,000 files. They also threatened to release another 150GB, but that never happened.
The casino asserts that the personal data of only around 10,000-11,000 was compromised. However, if the hacker is to be believed, the additional 150GB would have represented considerably more.
As a result of the hack, the casino sent a notice to tens of thousands of Casino Rama patrons, informing them of the attack. This, argue the lawyers, shows evidence that the theft affected much more than the casino wants to admit.
However, Casino Rama lawyers disagree. Cath Beagan-Flood, who is representing the casino, said that notices had been sent to tens of thousands of patrons as nothing more than an abundance of caution, not because every recipient had their information compromised. She adds that the venue should not be punished for being a “good corporate citizen.”
The plaintiffs are seeking restitution for negligence breach of contract and intrusion on privacy. They are looking for as much as $55 million in compensation.
According to the lawsuit, “The specifics of when the hacker infiltrated Casino Rama’s network, how the hacker infiltrated Casino Rama’s network and servers, and the full extent of the data stolen by the hacker, were not released by Casino Rama, and are unknown to the plaintiffs.”
Those assertions have been substantiated by the Information and Privacy Commissioner of Ontario. It released a report this past January that acknowledged that the casino did not have sufficient security measures and that it did not investigate the hack appropriately.