A B.C. judge has certified a class action on behalf of nearly 39,000 people after a December 1, 2020 breach at TransLink exposed extensive personal and financial records across multiple subsidiaries. The court found plaintiffs plausibly allege TransLink “wilfully and without a claim of right” failed to safeguard data despite alleged foundational cybersecurity deficiencies, and common issues will be determined at trial. #TransLink #CoastMountainBusCompany
Keypoints
- A ransomware attack following a successful phishing attempt on a subsidiary employee led to unauthorized access of TransLink’s network on Dec. 1, 2020.
- TransLink confirmed by June 2021 that files and folders containing sensitive payroll and personal information had been accessed by cybercriminals.
- Exposed data included social insurance numbers, bank account details, payroll records, addresses, dates of birth, WorkSafe reports, and scanned cheques tied to the Access Transit Program.
- The plaintiffs narrowed their claim under the Privacy Act to allege TransLink “wilfully and without a claim of right” violated privacy, and the judge held access does not require proof a person viewed the data.
- The judge found class proceedings preferable, rejected some TransLink defenses such as offering credit monitoring as dispositive, and left liability and damages to be litigated at trial.