Calgary

Questions and answers on the Cowboy's Casino cyber attack

Customers and staff of Cowboy's Casino in Calgary who have had their personal information leaked online probably have a lot of questions. David Gerhard, a computer science professor at the University of Regina, sheds some light.

A computer science professor talks about what you can do if your information was stolen

The personal information of 14,294 customers, clients and staff was stolen in a 2016 cyberattack at Cowboys Casino. (CBC)

Customers and staff of Cowboy's Casino in Calgary who have had their personal information leaked online probably have a lot of questions about what happened and what they can do to protect themselves.

Information about 14,294 patrons and staff was hacked in 2016. The casino alerted Alberta's privacy commissioner and reached out to all affected customers.

Some of the information resurfaced recently on a data-sharing website, along with a note, saying "we asked cowboys casino to fix the [gaping] holes in their system but our request was ignored for over a year."

David Gerhard, a computer science professor at the University of Regina, spoke to the Calgary Eyeopener about the situation. 

Here's part of the interview:

Q: Is this like a do-gooder hacker? This is a very strange situation, isn't it?

A: If you believe what the hackers are saying, then yeah, this is what we might call a white-hat hacker. Which is the white hats in the movies are the good guys and the black hats in the cowboy movies are the bad guys. So this could theoretically be a good guy hacker trying to improve the security of an organization who they have discovered has a hole in their security system. People do this from time to time.

Q: How common is it for a casino to be targeted?

A: It is not entirely clear that the fact it was a casino was why it was targeted. Often what will happen with these hackers is that they will run these scripts that will look around the internet and try to find vulnerabilities. Every business has employee and client records and if you can find somebody who is vulnerable then you can use that to your advantage.

Q: When you steal information like this there's no way to recover it. What can the casino, or any organization in their place, now do about it?

A: What they are doing is they are informing their clients and customers that this is a possibility. And that's about all they can do. Information can be infinitely and freely copied. Once it's out there, it can get traded around from information broker to information broker. People can collect the information and do whatever they want about it. Names and addresses are reasonably public information, but if you combine that with answers to security questions or gambling habits, then you can start to build a profile that could be potentially damaging.

Q: Is there anything police can do about this?

A: Police will do whatever they can. There's two challenges with this. If you are an internet hacker, you are usually smart enough to be able to cover your trails reasonably well. That's one problem. The other problem is most of the time and energy the police are spending on cyber crime involve child pornography rings, things like that… These folks could be anywhere. If they are local Calgary people and they could be tracked down, that's great. But they could be in Russia or China or Paraguay or anywhere else. Even if we could find out who they are and even if we could track them down, we don't have any jurisdiction there anyway.

Q: As an individual who has identity stolen through your connection to the casino, what can you do to protect yourself?

A: First thing to do is change your password on your casino account and any other web service where you use the same password. We always encourage people to use different passwords for different services but many people will use the same password … Change your security questions, like when you call the bank and they say, 'What's your mother's maiden name? Call the bank and whatever else kind of online systems and change those questions. If it's something like gambling habits or names and address, those are thing you can't change. You could move, I guess, but that seems a bit drastic.


With files from the Calgary Eyeopener