TTC lacked proper measures to prevent 2021 cyberattack despite internal warning years earlier: reports
A report by the provincial privacy watchdog has found that Toronto’s public transit system was not prepared for the cyberattack that knocked down some of its communication systems and compromised the private information of more than 25,000 employees in 2021 -- despite an internal warning from the commission's security department issued years prior.
The breach, first reported in late 2021, compromised the personal information of approximately 25,000 past and present employees. That information included employee names, addresses, and social insurance numbers (SIN). The attack also took down several customer-facing systems, including trip-planning apps, the TTC website, and the online Wheel-Trans online booking portal.
While the TTC has released few details about the breach, a report authored by Ontario’s Information and Privacy Commissioner (OIPC) that was released in April sheds some new light on what happened, including the fact that it was made possible after an employee fell for a phishing attempt.
The report also suggests that the breach was exacerbated by a failure of the commission to ensure its security software was kept up-to-date, despite having standards in place that instructed otherwise.
“In the course of investigating [...], it became clear that at the time the incident occurred, the TTC did not have adequate security guidance in place [...] and, in the case of the vulnerability exploited, failed to apply the guidance it did have in place,” OIPC investigator Jennifer Olijnyk wrote as part of her findings. According to the report, it wasn’t made clear to the investigator why the commission failed to implement a software update that its own security department has recommended
Olijnyk's findings were not the first to suggest the TTC had been vulnerable to cyberattacks. In 2018, the TTC's security department warned the commission that it did not have adequate measures in place to safeguard against the risk of cyberattacks, according to an internal report reviewed by CTV News Toronto.
The report, an internal analysis authored by an Emergency Planning Officer in the Security Department, was presented to the commission's Audit and Risk Management Committee in July 2018, it says.
It recommended that the TTC “revisit” its risk assessment model in use at the time, “as it [did] not include the consideration of key risks, such as cyberattacks […] nor [was] it able to articulate the impact of such an event on the organization.” The commission was also encouraged to adopt the standardized risk assessment process used by the City of Toronto at the time.
Other options, including implementing specific countermeasures and policies to reduce the risk of breaches, were also posited to the commission.
When reached for comment on the findings, the Toronto Transit Commission did not outline what guidance, if any, from the 2018 report it went on to implement, nor did it elaborate on its current cybersecurity measures.
In a statement provided to CTV News Toronto, spokesperson Stuart Green said the commission’s cyber program has ‘“matured to harden [its] security posture significantly since 2018” and that current protocols are based on industry best practices.
“Like any large organization, cybersecurity is a top priority for the TTC,” Green said. “Ensuring the safety, security and integrity of our networks, operations, and personal data are key corporate priorities.”
“Given the sensitive and confidential nature of these security measures, we can’t comment further except to say that we welcome any recommendations that result in even greater system protections,” he continued.
How did the 2021 cyberattack happen?
The breach, according to Olijnyk's report, was made possible in two parts: first, the hackers were able to compromise a “trusted” third-party.
From there, the foreign entity inserted a malicious link into email correspondence between that third-party and the commission. An employee then reportedly clicked on that link, allowing access to the TTC’s systems via malware due to the lack of up-to-date security software.
The employee in question had undergone a 31-minute cybersecurity module, which included a section on phishing threats, just one month earlier, the report found.
Upon discovering the breach, the TTC activated its information technology security protocols and notified the public. The notice, issued via press release, said a significant service disruption had been avoided and that there was "no risk to employee or customer safety."
That was corrected in an update issued by the commission two weeks later. In that notice, it informed the public that the personal information of approximately 25,000 employees may have been compromised, but claimed there was no evidence that any of the information had been misused.
The authors of the report noted that the TTC had provided investigators with a more detailed explanation of how the attack occurred as part of its investigation, but that it asked those details not be published "due to security concerns."
According to Dr. Diogo Barrados, with the Cheritan School of Computer Science in Waterloo, the kind of attack experienced by the commission in 2021 was “pretty typical.”
“These kinds of data breaches typically involve some kind of human error – or what technically we like to call social engineering – in the sense that you try to make someone click some malicious link, or you make someone download malicious attachments,” Barrados said.
“Then, once the threat actor has established a foothold inside the system, there can be an opportunity for that malicious code to spread,” he said. In this case, that was possible by the lack of software update at the time of the breach. Software vulnerabilities are something that we've been having discussions about since the early 80s. So the methods [of attack] are still similar and we are still having the same issues.”
In her report, the investigator recommended that the commission adjust its cybersecurity policies to align itself with recommendations published by the Information and Privacy Commissioner in 2019 that were meant to serve as a detailed guideline for mitigating cyber risks.
These recommendations included segmenting networks that contain sensitive data, employing threat protection and endpoint protection tools, enabling encryption, and conducting regular phishing awareness.
As part of the investigation, the commission outlined specific plans to implement the above measures, with the first quarter of 2024 being the latest expected completion date. The TTC did not respond to CTV News when asked if, as of June, the recommendations had been implemented in full.
What are other public agencies doing?
When asked about its cybersecurity policy, Metrolinx, another public transit agency in Ontario, said in a written statement it has “protections in place to ensure that customer information is protected.”
The agency, which boasts a workforce about half the size of the TTC’s, says it conducts regular tests to monitor its IT systems and “continually” looks for ways to strengthen its network. While it did not elaborate on the full extent of those measures, the transit agency said it employs encryption on all PRESTO and GO e-ticket transactions, and that its internal employee networks remain separate.
As for education, all Metrolinx workers and contractors are required to complete an annual cyber training module, it said.
What lessons should public agencies take away?
To adequately tackle the threat of cyber attacks, public bodies need a two-fold defence, Barrados said.
It’s not enough to have an annual cybersecurity model, Barrados continued. More comprehensive, frequent models will need to be paired with additional measures, like employing layers of segmentation – or separation – between networks with sensitive information.
“You can train your personnel, but you cannot be by their side 24/7, so I really think to achieve this kind of security, from the higher to low level systems, we do need multiple layers of defense,” he said. “So that even if a breach occurs, it cannot spread through all of the systems.”
Resources such as encryption and automated security verification tools can also be useful, the professor said.
There also needs to be a will to ensure those measures are in place.
“The problem then is that even when some vulnerabilities are found and corrections are made for it, these [security] software patches are not applied for months, or even years at times, which again, seems to be the case at the TTC,” Barrados said. “This means there is a kind-of fine line for whoever's managing the system to actually recognize these vulnerabilities [...] and then deploy them correctly.”
It’s a nuanced problem that requires nuanced solutions – from all levels of government - but ultimately, the advice remains the same as it was decades ago, the professor continued.
“It's the kind of advice that we've been giving for maybe 40 years now: security should not be an afterthought,” he said.
“But that needs to happen by design, not as an afterthought.”
CTVNews.ca Top Stories
![](https://www.ctvnews.ca/polopoly_fs/1.6949994.1720031014!/httpImage/image.jpg_gen/derivatives/landscape_800/image.jpg)
'I'm not leaving': Biden meets with top Democrats, rejects calls to abandon campaign
U.S. President Joe Biden vowed to stay in the 2024 presidential race during a call with campaign staff on Wednesday and sought to reassure top Democrats on Capitol Hill that he is fit for reelection despite his shaky debate performance last week.
'Not my finest moment:' Police called to dispute between Ottawa city councillor and daycare owner
Ottawa city councillor Clarke Kelly says he is not apologizing after a Kinburn daycare owner alleged he screamed and swore in front of children during a dispute that saw police called to the scene on Wednesday afternoon.
Is Greece's six-day work week an option in Canada? An expert weighs in
As some Canadian companies explore offering staff a four-day work week, experts are watching Greece's move closely and suggest it could work in Canada.
Irish prime minister 'appalled' by Montrealer's death after alleged assault
Ireland's prime minister says he's "absolutely appalled" by an assault in the country's capital that resulted in the death of a tourist from Montreal.
Ontario man suffers cardiac arrest in Florida. This is why insurance won't cover his $620,000 hospital bill
An Ontario man who wanted to spend time with his family in Florida was hospitalized after suffering a cardiac arrest at the airport as he was about to fly back to Canada.
No tsunami threat after multiple earthquakes recorded off Vancouver Island
Five earthquakes were recorded in quick succession off the British Columbia coast on Wednesday afternoon.
Hudson's Bay Co. to purchase U.S. department store Neiman Marcus: reports
Hudson's Bay Co. has reached a deal to buy luxury department store chain Neiman Marcus, according to media reports.
Trudeau focused on governing, fighting right-wing populism following byelection loss
Prime Minister Justin Trudeau has been taking calls from different members of his Liberal caucus following the party's historic byelection loss in a Toronto riding last week, but the prime minister said his focus remains on governing.
Canadian feels 'abandoned' in Mexico after WestJet strike
More than 1,100 WestJet flights and counting have been cancelled since last Thursday, when a strike by the airlines mechanics union grounded travel plans for more than 100,000 customers.