On November 9, 2016, the Ontario Lottery and Gaming Corporation (OLG) notified the Office of the Information and Privacy Commissioner/Ontario (the IPC) of a possible privacy breach under the Freedom of Information and Protection of Privacy Act (FIPPA or the Act). OLG advised that a hacker had managed to steal information about employees and patrons of Casino Rama Resort (CRR) and was threatening to make the information public unless he was paid a ransom. OLG could not confirm the amount or extent of information in possession of the hacker. OLG further stated that the hacker claimed to have 154 gigabytes of CRR data and had posted examples of the information online. On November 21, 2016, the hacker released 4.49 gigabytes of CRR data on the Internet reported to consist of more than 14,000 documents.
In this report, I conclude that CRR did not have reasonable security measures in place to prevent unauthorized access to records of personal information of CRR patrons and individuals registered for OLG’s self-exclusion program (OLG self-exclusion registrants); however, since the breach, CRR has taken steps to address the gaps in its systems and processes. Although I am generally satisfied with CRR’s response to the breach in this regard, this report makes additional recommendations to address some specific shortcomings.
The other pillar of the IPC’s investigation concerns the contract between OLG and the private-sector company responsible for operating CRR on behalf of OLG, CHC Casinos Canada Limited (CHC or the Operator). In this report, I conclude that OLG did not have reasonable contractual and oversight measures in place to ensure the privacy and security of the personal information of CRR patrons and OLG self-exclusion registrants. This report also makes recommendations to address these shortcomings.