The B.C. Supreme Court has refused to certify a proposed class action against TransLink over a data breach three years ago that affected thousands of current and former employees.
The ruling, posted Tuesday, reveals new details about the December 2020 hack and ransomware attack — including that nearly 40,000 people were informed their personal information may have been accessed.
The proposed class action was brought by five retired TransLink employees, who made several claims including a violation of legal obligations on TransLink’s part to safeguard privacy and negligence.
But in her ruling, Justice Sandra Wilkinson rejected the claims, finding the arguments were “bound to fail” if the case proceeded to trial.
On the privacy claims, Wilkinson found the plaintiffs made “bald and conclusory allegations” that were absent of “any material facts” that there was “intentional or willful violation of privacy” on the part of the transit authority.
Regarding negligence, she found the province’s Freedom of Information and Protection of Privacy Act provides its own “comprehensive complaint and remedy scheme for violations,” but excludes the right to sue in civil court over alleged breaches.
In a statement, TransLink said it was “pleased” with the outcome which “supports the evidence put forward and allows the matter to be resolved.”
New details in data breach
While the ruling shut down the possibility of a class action trial, it did offer new insights into the scale of the breach at TransLink.
The December incident resulted in an outage of TransLink’s Compass tap-to-pay system and online trip planning tools for several days, and forced the company to temporarily use cash advances to pay workers.
According to the document, TransLink’s Business Technology Services discovered the breach on Dec. 1, 2020, and took steps to contain it by shutting down some IT systems, notifying police and launching its own investigation.
Two days later the transit authority confirmed it had been hit by a ransomware attack, and that hackers had been able to gain unauthorized access to its network security through a successful phishing attempt on an employee of one of TansLink’s subsidiaries.
TransLink launched a public website with information about the attack and offered two years of free credit monitoring to all current and former enterprise employees, Taxi-Saver cheque payors and affected third parties, though the ruling says whether all affected people got this information is disputed.
By June 2021, the ruling states, TransLink was able to confirm various files and folders the hackers had accessed.
Those included personal payroll information for TransLink, Coast Mountain Bus Company and transit police employees, sensitive personal information of some SkyTrain and West Coast Express employees and sensitive information of some former enterprise employees and a limited number of their spouses and dependents.
It also included sensitive personal information about some third parties, including some HandyDART operators, former BC Transit Employees and witnesses, drivers and injured third parties involved in incidents involving transit vehicles.
Some people who’d paid for TaxiSaver coupons with cheques were also affected, according to the ruling.
TransLink was able to confirm some data was copied out of the systems, but wasn’t able to pin down exactly what information was viewed or exfiltrated.
“At most, TransLink’s investigation enabled it to identify individuals’ sensitive personal information that was subject to access, or exposed to view, by the cybercriminals,” the ruling found.
Starting in February 2021, the transit authority started sending out personalized notification letters to people whose information it could confirm had been accessed by hackers, with details on what information may have been viewed and codes to set up the free credit monitoring.
In total, the ruling states nearly 58,000 such letters were sent out to just under 39,000 people.
TransLink said because the matter remains subject to appeal it is “limited” in what it can say about the incident.
“TransLink’s investigation was to determine what sensitive personal information was unlawfully accessed. Subsequently privacy breach notifications were sent to impacted individuals,” the transit authority said.
“We are not aware of any misuse of sensitive personal information that was accessed during the incident.”