Toronto cyberattacks show public bodies need to boost security, experts say

As the Toronto Public Library gradually works to restore full service following a crippling October cyberattack, experts are warning that public organizations need to find ways to bolster their ransomware defences, despite having limited resources.

A few months after the library attack, another city-owned institution suffered a digital breach: the Toronto Zoo announced last month that personal information of its current, former and retired employees had been stolen.

The zoo has said the attackers gained access to past earnings information, social insurance numbers, birthdates, phone numbers and addresses of employees going as far back as 1989.

A local library network and a city zoo may not immediately seem like prime targets for the global ransomware industry, but one expert said they have a lot to offer prospective attackers.

Charles Finlay, the executive director of Rogers Cybersecure Catalyst at Toronto Metropolitan University, said public organizations make good targets because they store substantial amounts of personal employee data and because taxpayers expect them to be open and functioning.

Public organizations “are not going to be able to stay out of operation for very long and this provides leverage to the ransomware attackers to extort (payments),” he said. “Attackers view these organizations as having the resources to pay significant ransoms.”

iStock.com/Viorika

There is no indication the library paid a ransom, but restoring services has been a painstaking process.

In a statement released Monday, more than three months after the attack, the Toronto Public Library said it was beginning to put books back on shelves but that its catalogue and personal accounts would likely remain offline until later this month.

The zoo attack appears to have been significantly less damaging in terms of operations, but the zoo has offered all potentially affected current and former employees a complimentary two-year credit monitoring service as a “proactive step.”

Finlay said that to guard against future damage, public organizations need to embrace cybersecurity best practices, including two-factor authentication, regular software and password updates and not clicking on links in emails from untrusted senders.

Attackers adjust quickly and public bodies need to evolve as the threats change, he added.

“Ransomware is a multibillion-dollar global industry,” he said. “It’s exceptionally lucrative. It is a very sophisticated industry with its own supply chains. It’s an industry that innovates at a very fast pace.

“If you can make it just a little bit more expensive, a little bit more difficult for a ransomware gang to successfully attack your organization, they will go and look for something else to do,” he said.

Cybersecurity expert David Shipley, of Beauceron Security in Fredericton, noted that attackers typically strike in areas where they don’t live, to reduce the likelihood of being pursued by law enforcement.

Related: Toronto Public Library gradually recovering from hack, more services back next month

“Most cyber criminals know it’s really, really dumb to hack in the same jurisdiction where you live, because that’s when you’re most likely to actually get caught and prosecuted,” he said.

Kim Crawley, a prominent cybersecurity writer, noted that even corporations that make substantial profits often struggle to budget enough for digital security.

“So, imagine if you are an entity that’s a government service that does not exist to generate profit, like the library,” she said.

“Those entities don’t exist to make money, so there might be even less incentive to spend money on cybersecurity. And then you can’t even just decide to spend money on cybersecurity, because then what if that gets to be challenged in the library board or in city hall?”

Public and community bodies should look to pool resources to enhance their collective defences, she said.

The City of Toronto has said recently it is looking to bring its various boards and agencies under a single central IT system. The city said neither the zoo nor the library were part of its central IT systems prior to the recent attacks, nor did they fall under the responsibility of the Office of the Chief Information Security Officer.

Crawley said one challenge is that some decision-makers still view cyber expenses as a waste of money.

“I hope that this is a wake-up call for the Toronto Public Library and other organizations,” she said. “If they can’t afford to run their own security operation centre, they can share a security operation centre with other organizations.”

Feature image by iStock.com/alexsl