A proposed class-action lawsuit against Casino Rama has collapsed like a house of cards blown apart by a strong wind.
Ontario Superior Court Justice Edward Belobaba decided not to certify the suit that sought $60 million in damages in the wake of a 2016 cyber attack on Casino Rama gamblers.
Ted Charney, a lawyer for the plaintiffs, said as many as 200,000 people may have had their personal information stolen in a hack on servers at the casino east of Orillia.
Charney told the court two casino servers were hacked and noted the number of people and what information was on those servers had not been disclosed.
However, he alleged victims included past and present patrons, people who were part of a voluntary gambling-exclusion program, past and present casino employees, and vendors.
He asked for a broader class definition thanks to new evidence: a report from Ontario’s privacy commissioner released at the end of January.
In her report, a commission investigator concluded the casino’s security measures were insufficient and that it had failed to investigate the initial intrusion effectively.
However, a lawyer for Casino Rama countered that, at most, 10,000 to 11,000 people were victimized and the plaintiffs’ definition of who should be included in the proposed class action was far too broad.
The attacker, who apparently gained access through a phishing scam, posted the information — including names, addresses, credit files, gambling losses, income and place of employment — of about 10,900 people publicly on Nov. 11, 2016.
In all, the hacker published about 4.5 gigabytes of information, or 14,000 files, while threatening to release a further 150 gigabytes of data.
But Belobaba said there were “no provable losses.”
In his ruling, he also noted “the primary culprit, the hacker, is not sued as a defendant (which) makes for a very convoluted class action. Class counsel find themselves trying to force square (breach of privacy) pegs into round (tort and contract) holes.”
He also noted that much of the personal information in question was not sensitive.
The casino’s quick and proactive approach to the hack was also cited and applauded.
During a hearing on the matter a few months ago, Cathy Beagan-Flood, lawyer for the defendants, said the casino sent notices of the attack to tens of thousands of people as a precaution, not because their information had necessarily been compromised.
The casino, she said, should not be punished for being a “good corporate citizen” and transparent in dealing with the hack.
Rob Mitchell, director of communications and public affairs for Gateway Casinos & Entertainment, which now operates Casino Rama, declined to comment, because “Gateway did not operate Casino Rama Resort at the time of the cyber attack.”
-- With files from Canadian Press