DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Plaintiffs in Casino Rama class-action lawsuit and defendants argue in court over how big the class should be.

Posted on March 30, 2019 by Dissent

In November, 2016, Casino Rama in Ontario disclosed that it  had been hacked. Shortly thereafter, we learned that some of that data had already been leaked online. The hackers, who signed themselves as “Anonymous Threat Agent,” wrote that the breach was “extremely simple” and that “no security systems were in place leaving the whole casino network wide open.”

At that time, the hackers dumped about 14,000 records related to almost 11,000 people, while claiming that they had another 150 gigabytes of data.

Not totally surprisingly, the casino is facing a class-action lawsuit. In June, 2018, the casino got an adverse ruling from the court, which held that the casino would have to hand over a computer forensics investigation report to the plaintiffs.

In the latest development, Colin Perkel reports that lawyers for the plaintiffs are claiming that as many as 200,000 people may have had their personal information stolen — an allegation that the casino denies, claiming that at most, 10,000 – 11,000 were impacted.

The plaintiffs may find some help in a recent report by the Ontario Privacy Commission on the results of that office’s investigation into the incident. And that report is the first the public has seen of any of the details of the hack. Of note, the report makes clear that this was a phishing attack that some employees fell for, but even when the attack was reported up the chain by alert employees, the casino may not have taken sufficient countermeasures to block the attackers from connecting remotely from a Russian IP address and transferring files to DropBox.  By the time the casino really blocked remote access and exfiltration of data, 39 casino systems had been compromised.

In response to the plaintiff’s lawyer’s claims, the casino’s lawyer told the court that the privacy commissioner’s office did not have full details and their report shouldn’t be relied upon to determine how large the potential class-action class should be.

The court will likely decide the scope of class issue in May, but there will be a lot more to come in this case.

In the meantime, watch this space next week for a follow-up on another Canadian hack that may give you a feeling of deja vu. And yes, spoiler alert:  I think it is the same threat actor group, just calling themselves by a different name. Stay tuned.

 

 

 

Category: Business SectorCommentaries and AnalysesNon-U.S.Of NotePhishing

Post navigation

← DePaul experienced phishing-related data breach, notified 902 health program clients (updated, corrected)
NY: Albany attacked by ransomware hack, mayor says →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Why Dumping Sensitive Data on Network Shares is a Liability
  • A militarily degraded Iran may turn to asymmetrical warfare – raising risk of proxy and cyber attacks
  • Pro-Russian hackers disrupt Dutch government websites ahead of NATO summit
  • Iran-Linked Threat Actors Leak Visitors and Athletes’ Data from Saudi Games
  • UK: Oxford City Council still investigating cyberattack from earlier this month
  • Steelmaker Nucor Says Hackers Stole Data in Recent Attack
  • People’s Republic of China cyber threat activity: Cyber Threat Bulletin
  • Ukrainian Web3 security auditing company Hacken suffered an attack that allowed a hacker to create 900 million HAI tokens
  • McLaren provides written notice to 743,131 patients after ransomware attack in July 2024 (1)
  • A state forensics lab was leaking its files. Getting it locked down involved a number of people.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill
  • Officials defend Liberal bill that would force hospitals, banks, hotels to hand over data

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.