A B.C. judge has certified a class action lawsuit potentially involving nearly 39,000 people after their personal and financial information was accessed in a ransomware attack on the province’s largest transportation authority.

The data security breach dates back to Dec. 1, 2020, when information technology staff at the South Coast B.C. Transportation Authority—better known as TransLink—discovered hackers had breached their IT network.

Over the coming days, TransLink attempted to respond and contain the threat—isolating and shutting down systems, calling police and launching an investigation, according to a B.C. Supreme Court decision handed down this week.

“Despite TransLink’s cybersecurity program, cybercriminals were able to gain unauthorized access into TransLink’s network security and insert the ransomware following a successful phishing attempt on one of TransLink’s operating subsidiaries’ employees,” wrote Justice Sandra Wilkinson in her decision.

By June 2021, TransLink’s investigation confirmed that a number of files and folders had been accessed by cybercriminals.

The hacked information contained everything from social insurance and bank account numbers to WorkSafe reports, home addresses and personal details like date of birth, tax deductions and wages.

The ruling names a wide range of information that could impact workers, their families and third parties. They include:

• Payroll information for TransLink staff, transit police and the Coast Mountain Bus Company.
• Sensitive personal information for some employees at BC Rapid Transit Co. Ltd., West Coast Express, as well as some former and retired employees, their spouses and beneficiaries.
• Sensitive personal information about third parties, including HandyDART operators, former BC Transit employees, and third parties involved in incidents with TransLink vehicles, including witnesses, those who were injured and other drivers.
• Scanned cheques used to buy TaxiSaver coupons as part of TransLink’s Access Transit Program, which often involved personal information of a family member, friend, care provider or spouse.

At one point, TransLink sent 57,820 letters to 38,958 individuals whose personal information was confirmed to have been subjected to access by the cybercriminals, the decision said.

The lead plaintiffs in the proposed class action are all former TransLink employees who have since retired.

In 2024, B.C.’s Court of Appeal overturned a lower court’s ruling that had dismissed their attempt to certify the class action. The latest attempt was successful after the plaintiffs narrowed their claim to a single section of the Privacy Act, alleging TransLink “wilfully and without a claim of right” violated their privacy by failing to safeguard data.

TransLink argued that because the plaintiffs couldn’t prove hackers actually viewed or downloaded specific files—only that they had the ability to do so. In her latest ruling, Wilkinson rejected that argument, stating that “access” under B.C.’s privacy law does not necessarily require proof that a human looked at the data or stole it.

Whether it was in fact accessed in violation of TransLink’s obligation to safeguard the information is something that can be determined at trial, Wilkinson said.

A cybersecurity expert involved in the case told the court that TransLink’s computer measures had “foundational” deficiencies, including inadequate threat monitoring, and a lack of data encryption and executive oversight.

TransLink had argued against the class action lawsuit, citing its previous offer of a two-year complimentary credit monitoring package as well as identify theft protection up to $50,000 to those affected by the data breach.

Wilkinson pushed back against the idea that those measures went far enough. The judge’s decision stated that credit monitoring and the insurance claim process do not always equate to resolving the claims in court.

“In the circumstances I find that a class proceeding is the preferable procedure for a fair and efficient resolution of the common issues,” ruled Wilkinson.

The judge approved a number of damages to be litigated at a future trial. She dismissed claims that TransLink was vicariously liable for acts of its subsidiaries because the transportation authority is a separate statutory body.

The plaintiffs also sought a full disgorgement of profits related to the cyber attack. But Wilkinson struck down that litigation path, finding no evidence that TransLink had profited from the breach.

The lawsuit represents all the nearly 39,000 individuals notified by TransLink that their information was compromised, excluding employees who are members of the MoveUp union.