A class action suit is in progress after an estimated 200,000 people had personal data exposed by a hacked server at Casino Rama in Ontario. The breach was made public back in November 2016 when the hacker was able to obtain credentials, access at least two of the casino’s servers, and then published patron’s names, addresses, credit files, and financial data, and threatened to publish more files if their demands were not met.
The attorney for the plaintiffs allege that negligence for proper cybersecurity allowed the attack, and have asked for $60 million in compensation. Their claim has been bolstered by a report from Ontario’s privacy commissioner in January, which concluded that the casino’s security measures were insufficient and that the incident response was also lacking due to the following findings:
- Casino Rama did not have reasonable security measures in place to prevent unauthorized access to records.
- A total of 39 Casino Rama network systems had been compromised in the attack.
- A number of security measures required by legislation were not implemented at the time of the cyber attack.
- Audit report recommendations made by the AGCO in 2015 were not implemented at Casino Rama due to limited IT resources, and the failure of Casino Rama to implement the audit report recommendations contributed to the cyber attack.
These findings are NOT unique to Casino Rama, and should serve as a warning to confirm that you (or your clients) are protected from this type of exposure by confirming:
- What data do we have that should be protected?
- What protections are currently in place, and would they be found “insufficient” in the event of legal action or audit? Are we doing regular testing to confirm their effectiveness?
- How will we determine if a breach occurs?
- Do we have a plan and the right resources to properly address various types of common incidents (malware, data breach, hardware failure, exposure of data via third-party vendor, etc.)