TTC says personal info of up to 25,000 current, former employees accessed in cyberattack

Toronto’s public transit authority says it now believes the personal information of up to 25,000 employees, former transit workers and pensioners was stolen in a ransomware attack last month.

Names, addresses and social insurance numbers were taken, said the Toronto Transit Commission, which operates the city’s bus, subway, streetcar and paratransit services. There is no evidence any of the information has been misused, it added.

“What we know about the threat actors in this case is that they belong to an extremely well-organized enterprise. On behalf of the entire organization, I want to express my deep regret that this has occurred to everyone who may be impacted,” TTC chief executive Rick Leary said in a statement.

The commission said it is notifying affected individuals and will provide them with three years of credit monitoring and identity theft protection through TransUnion.

The transit authority is investigating whether customers and vendors were also affected by the sophisticated incident.

The breach was detected just one day before a ransomware attack hit Newfoundland and Labrador’s health system data centres on Oct. 30.

iStock.com/muberraturan

Data breaches have become a familiar feature on the corporate and public-sector landscape, with the risk ramping up during the COVID-19 pandemic, experts say.

“Ransomware attackers have been targeting health-care organizations during the pandemic because we as the public and as governments cannot endure those health-care organizations and networks being out of service,” said Charles Finlay, executive director of the Rogers Cybersecure Catalyst at Ryerson University.

“The sheer number of attacks in general has increased. They’ve increased in sophistication. And COVID-19 has meant that attacks on certain kinds of organizations have also increased.”

Finlay said national intelligence agencies and law enforcement at all levels need to treat cyber threats as a major domestic security challenge.

“Ransomware is a multibillion-dollar global industry. It is highly organized … it’s very well financed,” he said.

“This is organized crime operating at the most sophisticated level.”

TTC’s Leary said the organization has been working day and night since it announced the cyberattack on Oct. 29 to get its services back online and gain a clearer understanding about the breadth of the incident.

Starting on Oct. 28, the breach saw several TTC servers encrypted and locked, resulting in the loss of its Vision system, which is used to communicate with vehicle operators and other online systems. Vehicle arrival information, the online Wheel-Trans booking systems and external network connectivity including email also went down.

“They’re really attacking the people who use the TTC. It’s that leverage that they use to extort payments from the TTC and similar organizations,” Finlay said.

The commission did not respond immediately to a request for comment on whether it has paid ransom to the group behind the incident.

Stakeholders who are potentially impacted should follow the TTC’s direction as well as watching their bank and credit card statements and credit score, experts say.

“It’s important not to panic,” Finlay added.

The Office of the Information and Privacy Commissioner of Ontario said in a statement that the TTC notified it about the attack on Oct. 29, and while it’s working with the transit commission to learn more, it can’t provide further details since it’s an active file.

The statement noted that while Ontario’s privacy law applies to the collection, use and disclosure of personal information by the province’s public institutions like the TTC, it does not extend privacy protections to employees of those institutions.

A survey of 510 security professionals released earlier this year by the Canadian Internet Registration Authority indicated 17 of their organizations had experienced a ransomware attack and 69 per cent of those paid a ransom.

The privacy commission said criminals are using more sophisticated tactics to obtain passwords and other sensitive information, or to trick people into downloading malicious software. It offers fact sheets on preventing identity theft, ransomware and phishing, and advice on what to do if there’s a breach or if you suspect your information has been compromised.

Feature image: A Toronto Transit Commission bus driver wears a mask and gloves as he drives a bus in Toronto on Tuesday, April 14, 2020. THE CANADIAN PRESS/Frank Gunn