A pair of retired TransLink employees are suing the South Coast British Columbia Transportation Authority, claiming in a class action that a cyberattack last year that compromised sensitive personal data could have harmful consequences for the rest of their lives.
Representative plaintiffs James Thom and Brent Johnston filed a notice of civil claim under the Class Proceedings Act in BC Supreme Court on July 15. Thom, a retired customer service representative, and Johnston, a former bus driver, claim they were notified by TransLink via email in June 2021 that their personal information was compromised in a data breach in late 2020.
According to the claim, TransLink publicly confirmed the hack of current, former and retired employees’ personal data in December 2020, nearly a month after the breach was reported in the media. The information compromised in the hack includes names, addresses, social insurance numbers and banking details. Thom and Johnston claim the company later confirmed that salary and tax information was also breached in the cyberattack, in addition to WorkSafeBC incident records. In response, the company offered a two-year subscription to a credit monitoring and fraud protection service, but Thom and Johnston claim that class action members’ data “will at some point in the future be shared and disseminated online, and in other forums.”
“If it has not already been monetized, it is at risk of being so in the future,” the claim states.
Class members, according to the lawsuit, have been forced into the “unenviable position” of having to monitor their personal information for abuse, a risk that is “ongoing for the lifespan of the plaintiffs and class members.”
Moreover, the breach makes it likely that those affected will suffer both future and imminent harm, because disclosure of personal health information could impact insurance rates and impede future travel and employment opportunities, as well as their ability to qualify for credit “and other business opportunities.”
“The Defendant downplayed the data breach and risks and took several months … to identify class members who had their personal data compromised,” the claim states. “The data breached is now in the hands of unknown third-party criminals and nefarious individuals and is in those hands for the lifetime of the Plaintiffs and Class Members.”
Thom and Johnston seek class certification for the action, and damages for breach of contract, breach of trust, breach of fiduciary duty and breach of privacy. Their allegations have not been tested or proven in court, and TransLink had not responded to the claim by press time.