Recent High Profile Cyber Breaches

Ashley Madison

In July 2015 it came to light that online dating website for married people seeking “discreet encounters”, Ashley Madison, had been hacked by a group that identified itself as “The Impact Team”. Media reported that the hackers threatened to release the website’s users’ personal information if the site was not shut down.

The operators of Ashley Madison-Avid Life Media (ALM), a Toronto-based company- announced they had removed any personally identifiable information (PID) from their site, but a month later media reported that the information the hackers had stolen was published online. According to the website for Sutts, Strosberg LLP, a law firm handling a class-action suit against the company, the disclosed information-which pertained to 30 to 40 million users-included: “the names, addresses, e-mail addresses, phone numbers, gender, dates of birth, profile captions, weight and height, lifestyle attributes and preferences, relationship statuses, sexual preferences, credit card information, and transaction history.” The information of people who had paid Ashley Madison to delete their data was also included.

As a result the company lost about a quarter of its annual revenue, there were reports of suicides, resignations and marriage breakups, and the Office of the Privacy Commissioner of Canada, together with the Office of the Australian Information Commissioner, investigated. The results of that investigation were released in a report this August, which noted the company’s security measures were lacking, and its use of a fake security verification was deceptive.

“Security measures should be documented in writing and include technological, physical and organizational safeguards,” said Canadian Privacy Commissioner Daniel Therrien. “Businesses must also assess risks, align their policies to mitigate those risks and train employees to ensure that policies are actually implemented and followed.”

The investigation, which examined Avid Life Media’s compliance with both the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private sector privacy law and Australia’s Privacy Act, focused on four key issues: Information security; retention and deletion of user accounts; accuracy of email addresses and transparency with users.

The investigation found the company was inappropriately retaining some personal information after profiles had been deactivated or deleted by users.

The investigation also discovered the company did not adequately ensure the accuracy of customer email addresses it held-an issue that resulted in the email addresses of people who had never actually signed up for Ashley Madison being included in the databases published online following the breach. This issue raised particular concerns given that, for both users and non-users, any association with a site such as Ashley Madison could cause serious reputational harm.

Finally, with respect to transparency, investigators found that at the time of the breach, the home page of the Ashley Madison website included various trustmarks suggesting a high level of security, including a medal icon labelled “trusted security award”. ALM officials later admitted the trustmark was their own fabrication and removed it.

The Commissioners issued a number of recommendations aimed at bringing the company into compliance with privacy laws in a timely fashion. ALM (now renamed Ruby Corp.) cooperated with the investigation and agreed to demonstrate its commitment to addressing privacy concerns by entering into a compliance agreement with the Canadian Commissioner and an enforceable undertaking with the Australian Commissioner, making the recommendations enforceable in court.

On August 20, 2015, Charney Lawyers and Sutts, Strosberg LLP launched a national class action against the owners and operators of AshleyMadison.com. This lawsuit was filed in Toronto on behalf of all residents of Canada who subscribed to the website. The plaintiff claimed $760 million in damages, alleging Ashley Madison’s parent companies are liable to the representative plaintiff and class members for breach of contract, breach of Ontario’s Consumer Protection Act, negligence, intrusion upon seclusion, breach of privacy, and publicity given to private life.

On August 25, 2015, the same law firms filed a class action in Montreal on behalf of all Quebec residents who subscribed to Ashley Madison.

Casino Rama

On November 4, 2016 Casino Rama Resort, near Orillia, Ontario, a First Nations commercial casino and resort, learned it had been the victim of a cyber attack. Initially the casino reported that “past and present customer, employee and vendor information” had been stolen. Subsequently it was revealed that the information had been published on the Internet.

CityNews.ca reported on November 11 that it had found links to the data online, which included “collection agency information, revenue reports from the casino and hotel, and customers’ credit and betting histories.”

According to the casino’s website, this fits with what the hacker claims to have accessed-information that includes Casino Rama Resort IT information, financial reports regarding the hotel and casino, security incident reports, Casino Rama Resort email, patron credit inquiries, collection and debt information, vendor information and contracts and employee information including performance reviews, payroll data, terminations, social insurance numbers and dates of birth. The hacker claims that the employee information dates from 2004 to 2016, and that some of the other categories of information taken date back to 2007.

The casino is working with provincial and federal police departments, the Ontario Lottery and Gaming Commission (OLG), and alerted the Ontario and federal privacy commissioners.

On November 14th a class action lawsuit was filed by Charney Lawyers and Sutts, Strosberg on behalf of past and present Casino Rama employees, customers and vendors for damages resulting from the hack. The plaintiffs assert that Casino Rama breached its own Privacy Policy by failing to take reasonable security measures to protect against unauthorized access to class members’ personal and confidential information. The suit is seeking $50 million in damages.

Flaherty McCarthy LLP filed second suit on November 15, 2016, seeking $500 million in damages.

The matter of the hack and online disclosure is still under investigation by police.

Yahoo

Internet email and services provider Yahoo revealed two major data breaches in recent weeks. In September 2016 the company announced that in late 2014 over 500 million of its user accounts had been hacked. Then, in December 2016, the company confessed to another hacking incident, which took place in August 2013. This one affected data from over one billion user accounts.

The company also said that an unspecified number of additional accounts were compromised through an attack involving forged cookies.

These are likely the largest breaches ever to have occurred. Data stolen included names, email addresses, phone numbers, security questions and answers, dates of birth and encrypted passwords.

Class actions are being prepared. In Canada, Charney Lawyers has filed a notice of action of a $50 million claim, and is seeking class members. The law firms are asking anyone with a Yahoo account since before 2015 to register.

Anyone with a Yahoo account, including Mail, Answers, Auto, Finance, Groups, Messenger, along with Flickr, Sky, Tumblr and more are advised to change passwords and clear their browser cache immediately and regularly.