TORONTO -- As many as 200,000 people may have had their personal information stolen in a hack on servers at one of Ontario's most popular casinos, a lawyer for the plaintiffs pressing a proposed class action argued on Thursday.
However, a lawyer for Casino Rama countered that, at most, 10,000 to 11,000 people were victimized and the plaintiffs' definition of who should be included in the proposed class action was far too broad.
The case arose in November 2016 when Casino Rama announced it had been victim of a cyberattack in which a large quantity of sensitive personal information had been stolen. The attacker, who apparently gained access through a phishing scam, posted the information -- including names, addresses, credit files, gambling losses, income and place of employment -- of about 10,900 people publicly on Nov. 11, 2016.
In all, the hacker published about 4.5 gigabytes of information, or 14,000 files, while threatening to release a further 150 gigabytes of data.
Cathy Beagan-Flood, lawyer for the defendants, said the casino sent notices of the attack to tens of thousands of people as a precaution, not because their information had necessarily been compromised. The casino, she said, should not be punished for being a "good corporate citizen" and transparent in dealing with the hack.
In their statement of claim, the plaintiffs allege negligence, breach of contract, and intrusion on privacy among other things. They seek $60 million in compensation for damage to reputation, mental distress and costs incurred in dealing with the fallout of the hack.
"The specifics of when the hacker infiltrated Casino Rama's network, how the hacker infiltrated Casino Rama's network and servers, and the full extent of the data stolen by the hacker, were not released by Casino Rama, and are unknown to the plaintiffs," the statement of claim asserts.
What is known, their lawyer Ted Charney told the court on Thursday, is that two casino servers were hacked even if the number of people and what information was on those servers has not been disclosed.
However, the plaintiffs allege, victims include past and present patrons, people who were part of a voluntary gambling-exclusion program, past and present casino employees, and vendors.
In urging a broader class definition, Charney leaned on new evidence: a report from Ontario's privacy commissioner released at the end of January. In her report, a commission investigator concluded the casino's security measures were insufficient and that it had failed to investigate the initial intrusion effectively.
"(Casino Rama) did not have reasonable security measures in place to prevent unauthorized access to records of personal information," the report concluded.
Charney argued the report bolstered his push for a bigger class, even if it was not clear exactly how many people were affected by the hack.
"Thank goodness we now have the commissioner's report," Charney said. "We have evidence now that a substantial number of patrons … had data on the two servers. There's some basis in fact that their information wasn't adequately protected."
For her part, Beagan-Flood said the privacy commission's report should receive little or no weight. The information of many patrons was stored on servers that could not have been hacked, she said.
"The (privacy commissioner) did not have all of the information," Beagan-Flood said. "The evidence is that the non-Windows servers would not have been vulnerable."
Superior Court Justice Edward Belobaba made it clear he wasn't interested in arguments on the merits of the unproven action. Instead, he said, he wanted to focus on whether evidence existed that could support a class action and who would be in the class.
He said he would likely have a certification decision in May.