Cyberattacks have become an increasingly common threat to information security and privacy. Often these attacks are accompanied by a threat to make the stolen information public.
This week, the Ontario Lottery and Gaming Corporation (OLG) reported to the IPC that Casino Rama Resort has been subjected to a cyberattack in which data containing personal information of customers and staff was accessed through malicious software, or malware, on their computer network.
The OLG has reported the incident to our office and has advised us of the steps they are taking to investigate and respond to the attack. These include:
- Working with cyber security experts to determine the scope of the attack, including the extent of private information that may have been stolen
- Notifying the appropriate law enforcement and regulatory agencies, including the Ontario Provincial Police (OPP), the Royal Canadian Mounted Police (RCMP), the OLG, the Alcohol and Gaming Commission of Ontario (AGO), and the Office of the Privacy Commissioner of Canada (OPC)
- Notifying individuals who might be affected by the breach, and providing advice and assistance to customers whose personal information might be at risk of identity theft
We have opened an investigation and will continue to work with the OLG as they review and strengthen the measures they have in place, or will implement, to protect their systems against future attacks, and to ensure that they meet their obligations under Ontario’s privacy legislation.
The IPC would like to remind institutions that under Ontario’s freedom of information and privacy laws, they are required to have “reasonable” measures in place to protect the security of their records. We recommend a number of administrative and technological steps to assist institutions in meeting their legislative requirements. These steps include employee training, limiting user privileges, software protections and more.
If personal information has been compromised through a cyberattack, public institutions and healthcare organizations should contact the IPC for advice and further guidance.
If a member of the public believes their personal information has not been handled appropriately, they may file a complaint with our office. We can be reached at 1-800-387-0073.
For information and guidance on online security, the following IPC guidance is available: