An employee is suing Harrington Raceway & Casino for failing to secure and protect personally identifiable information (PII) in its care. The proposed class action came in response to a recently-disclosed data breach that included employees’ names, social security numbers, and, potentially, other private details.
It’s unclear from the filing whether the lead plaintiff, Jaysin Hoyle, still works at the casino. Hoyle was working as a line cook at the casino at the time of the breach.
Filings for the case appeared on April 17 in a Delaware federal court. The claim alleges that the security breach was “foreseeable” and that Harrington had failed to implement adequate safeguards for employee data, including Hoyle’s.
Suit Claims Harrington Handled Stored Data Recklessly
Situated on the grounds at Delaware State Fair, Harrington Raceway & Casino offers customers harness racing and casino entertainment.
According to the filing, Harrington collected Hoyle’s personal information at the time of hiring. It states:
Despite their duties to Plaintiff and Class Members, Defendant stored their Private Information on a database that was negligently and/or recklessly configured. This misconfiguration allowed files on the database to be accessed without a password or any form of multifactor authentication.
The court filing goes on to explain that Harrington uncovered suspicious activity on its network near the end of December 2022. The casino shut down unexpectedly on Dec 27, 2022, due to “technical difficulties.”
On Feb 1, 2023, the casino released a statement seeming to confirm that there had been an attack. It said unauthorized parties “may have” compromised information between Dec 12 and Dec 27, 2022.
On March 10, a review determined the breach included private personal information.
The suit asserts that Harrington had been reckless and negligent in how it stored that private data:
Private Information was maintained on a database that was not password protected and therefore accessible to any member of the public […] Foreseeably, cybercriminals exploited this obvious vulnerability, exfiltrated Plaintiff’s and Class Members’ Private Information from the database…
Stolen Data Allegedly Posted on Dark Web
According to the plaintiff’s filing, thieves eventually listed the stolen information on the dark web. However, that portion of the claim remains untested in court.
The dark web is an anonymous portion of the internet inaccessible through conventional browsers. Visitors to sites on the dark web need special software and the knowledge to configure it. As a result, it is “the Wild West of the World Wide Web,” used in equal measure by activists in repressive regimes and by criminals.
Many sites on the dark web are effectively black markets for drugs and other contraband. Another common commodity is stolen personal data. Buyers may attempt to use such data for various forms of fraud, such as identity theft or credential-stuffing attacks like the one that hit DraftKings last year. A suspect was recently arrested in that case.
The suit alludes to such possibilities in explaining the damages suffered by the plaintiff:
Given the theft of information that is largely static — like Social Security numbers — this risk will remain with Plaintiff and Class Members for the rest of their lives.
As a remedy, Hoyle is suing for negligence, breach of implied contract, and unjust enrichment on behalf of anyone exposed in the Harrington breach. Specifically, the filing seeks class certification, damages, costs and fees, and a jury trial.
Hoyle also wants Harrington to upgrade its security protocols and processes for collecting and storing private information:
Plaintiff and Class Members have an interest in ensuring that their Personally Identifiable Information, which is believed to remain in the possession of Defendant, is protected from further breaches by the implementation of security measures and safeguards, including but not limited to, making sure that the storage of data or documents containing Private Information is not accessible online and that access to such data is encrypted and password protected.
Injunctive Relief Would Protect Victims Still at Risk
Delaware’s three racetrack casinos offer online casino games through a partnership between 888 Holdings and the state lottery. According to reporting by Delaware Online, Harrington’s online casino was still up and running two days after the physical casino closed due to the attack.
However, beyond a brief statement issued via its Facebook page that Thursday, Harrington said little publicly:
Harrington Raceway, Inc. is currently experiencing technical difficulties that are causing a temporary disruption to gaming and computer systems. We are working diligently to investigate the source of the disruption, confirm its impact on our systems, and restore full functionality to our affected systems as quickly as possible. We have significant resources, including cyber security specialists, devoted to this process and our work to resolve this issue is ongoing.
The casino eventually reopened on Saturday, Dec 31, in time for a planned New Year’s Eve event.
However, data breach notices filed in Delaware and Maine on April 10 indicate Harrington didn’t fully confirm a breach of personal information until March.
Harrington also notified nearly 13,000 affected individuals in an April letter.
Those affected, argue the Hoyle filing, are still at risk.
Unless a Class-wide injunction is issued, Defendant may continue in their failure to properly secure the Private Information of Class Members, Defendant may continue to refuse to provide proper notification to Class Members regarding the Data Breach, and Defendant may continue to act unlawfully as set forth in this Complaint.
Nevada’s Rancho Mesquite Casino faces a similar class action lawsuit that alleges it left its computer network vulnerable to attack before a 2022 breach that exposed the personal information of more than 200,000 customers and employees.