British Columbia

TransLink ransomware attack leads to class-action lawsuit from ex-employee

The lawsuit alleges valuable personal information including banking data belonging to employees and “other stakeholders” was lost, stolen or compromised in a December data breach. It alleges TransLink “recklessly” failed to protect personal information.

Transit authority says it had many security measures before attack and gave as much information as possible

A former Translink employee has filed a class-action lawsuit on behalf of himself and others who say their personal data was lost, stolen or compromised after a ransomware attack on TransLink's IT systems. (Ben Nelms/CBC)

A retired TransLink worker is suing his former employer following a ransomware attack announced in December.

The class-action lawsuit, which has not yet been certified, alleges valuable personal information including banking data belonging to employees and "other stakeholders" was lost, stolen or compromised in the breach.

The retiree's lawsuit says TransLink "recklessly" failed to uphold its obligations under privacy laws to protect personal information with reasonable security measures.

"This is a very concerning situation," said the retiree's lawyer, Toronto-based Sage Nematollahi, whose firm KND Complex Litigation filed the action with co-counsel Diamond & Diamond.

"What this class action seeks to accomplish is firstly to get a handle on the facts of what really happened, who was impacted, what sort of personal information was compromised and in what ways and what risk would arise," Nematollahi said.

Nematollahi said his client is remaining anonymous at this time due to ongoing concerns about his personal information.

The lawsuit claims the data breach led to damages and losses to the employees and other unspecified stakeholders. It claims it put their property, finances, creditworthiness, reputations and relationships at risk.

The lawsuit claims unspecified damages. None of its claims have been tested yet in court.

'Wake-up call'

Ransomware is a type of malicious software that disables part of a computer system or access to data until a ransom is paid.

The lawsuit claims TransLink didn't have adequate security measures and failed to review those measures, monitor its systems or train staff on preventing data breaches.

It further alleges that TransLink did not communicate the scope and impacts of the breach well enough or what risks employees and retirees are exposed to.

It wasn't until almost a month after the breach, the lawsuit continues, that TransLink confirmed employees' social insurance and banking information was compromised and advised them to subscribe to a credit monitoring service.

A group of people wearing masks enter a SkyTrain.
The lawsuit alleges valuable personal information of employees and other unspecified stakeholders was put at risk in the data breach. (Ben Nelms/CBC)

"Where personal information of people is impacted, time is of the essence," Nematollahi said.

"People need to know …  what sort of information may be floating around out there and who may actually have access to it so that people can assess the risks."

In addition to seeking damages, the plaintiff is also seeking improvements from TransLink when it comes to stewardship of personal data.

"I would like to think of a situation like this also as a wake-up call to organizations in Canada," Nematollahi said. "They are increasingly the target of ... cyber security attacks and they need to do a little bit better."

TransLink defends security, response

TransLink, in an email, said it could not comment on the lawsuit but said it had many security systems in place to protect the personal data of customers and employees.

It also said it provided as much information as possible as soon as possible.

"TransLink proactively disclosed suspicious activity on our network and associated impacts within hours of this incident occurring," a spokesperson wrote in an email.

"Throughout this incident, we have proactively and on an ongoing basis disclosed as much accurate information as we can to keep people informed as best as we are able at this point in an ongoing forensic and police investigation."

Symptoms of the ransomware attack were seen when riders were not able to use credit or debit cards for several days.

TransLink said "suspicious network activity" affected some of its information technology systems and some online services were disabled "out of an abundance of caution."