Toronto library, zoo attacks show public bodies need to boost cybersecurity: experts
As the Toronto Public Library gradually works to restore full service following a crippling October cyberattack, experts are warning that public organizations need to find ways to bolster their ransomware defences, despite having limited resources.
A few months after the library attack, another city-owned institution suffered a digital breach: the Toronto Zoo announced last month that personal information of its current, former and retired employees had been stolen.
- Download our app to get local alerts on your device
- Get the latest local updates right to your inbox
The zoo has said the attackers gained access to past earnings information, social insurance numbers, birthdates, phone numbers and addresses of employees going as far back as 1989.
A local library network and a city zoo may not immediately seem like prime targets for the global ransomware industry, but one expert said they have a lot to offer prospective attackers.
Charles Finlay, the executive director of Rogers Cybersecure Catalyst at Toronto Metropolitan University, said public organizations make good targets because they store substantial amounts of personal employee data and because taxpayers expect them to be open and functioning.
Public organizations "are not going to be able to stay out of operation for very long and this provides leverage to the ransomware attackers to extort (payments)," he said. "Attackers view these organizations as having the resources to pay significant ransoms."
There is no indication the library paid a ransom, but restoring services has been a painstaking process.
In a statement released Monday, more than three months after the attack, the Toronto Public Library said it was beginning to put books back on shelves but that its catalogue and personal accounts would likely remain offline until later this month.
The zoo attack appears to have been significantly less damaging in terms of operations, but the zoo has offered all potentially affected current and former employees a complimentary two-year credit monitoring service as a "proactive step."
Finlay said that to guard against future damage, public organizations need to embrace cybersecurity best practices, including two-factor authentication, regular software and password updates and not clicking on links in emails from untrusted senders.
Attackers adjust quickly and public bodies need to evolve as the threats change, he added.
"Ransomware is a multibillion-dollar global industry," he said. "It's exceptionally lucrative. It is a very sophisticated industry with its own supply chains. It's an industry that innovates at a very fast pace.
"If you can make it just a little bit more expensive, a little bit more difficult for a ransomware gang to successfully attack your organization, they will go and look for something else to do," he said.
Cybersecurity expert David Shipley, of Beauceron Security in Fredericton, noted that attackers typically strike in areas where they don't live, to reduce the likelihood of being pursued by law enforcement.
"Most cyber criminals know it's really, really dumb to hack in the same jurisdiction where you live, because that's when you're most likely to actually get caught and prosecuted," he said.
Kim Crawley, a prominent cybersecurity writer, noted that even corporations that make substantial profits often struggle to budget enough for digital security.
"So imagine if you are an entity that's a government service that does not exist to generate profit, like the library," she said.
"Those entities don't exist to make money, so there might be even less incentive to spend money on cybersecurity. And then you can't even just decide to spend money on cybersecurity, because then what if that gets to be challenged in the library board or in city hall?"
Public and community bodies should look to pool resources to enhance their collective defences, she said.
The City of Toronto has said recently it is looking to bring its various boards and agencies under a single central IT system. The city said neither the zoo nor the library were part of its central IT systems prior to the recent attacks, nor did they fall under the responsibility of the Office of the Chief Information Security Officer.
Crawley said one challenge is that some decision-makers still view cyber expenses as a waste of money.
"I hope that this is a wake-up call for the Toronto Public Library and other organizations," she said. "If they can't afford to run their own security operation centre, they can share a security operation centre with other organizations."
This report by The Canadian Press was first published Feb 14, 2024.
CTVNews.ca Top Stories
DEVELOPING Labour minister says Canada Post workers could soon be forced back to work
Canada Post workers began their strike four weeks ago, halting mail and package deliveries across the country. MacKinnon said he hopes work will resume as early as next week.
The biggest changes to Canada's mortgage rules, according to a broker
Canada's new federal mortgage rules are coming into effect Sunday. A broker says this is what would-be buyers need to know.
Top musician forced to cancel Toronto concert after Air Canada refused to give his priceless cello a seat on plane
Famed British cellist Sheku Kanneh-Mason, who became a household name after performing at the wedding of Prince Harry and Meghan Markle, has said he had to cancel a concert in Canada after the country’s largest airline denied his pre-booked seat for his cello.
Upcoming GST relief causes confusion for some small Canadian businesses
A tax break for the holiday season will start this weekend, giving some Canadians relief on year-end shopping. But for small businesses, confusion around what applies for GST relief has emerged.
Teen facing child porn charges after sending ex-boyfriend's photos to his parents
A teenager in Guelph is facing child pornography charges after sending nude photos of her ex-boyfriend to his parents.
B.C. Supreme Court certifies class-action lawsuit against Airbnb
The B.C. Supreme Court has certified a class-action lawsuit against Airbnb that alleges the short-term rental company has breached provincial consumer protection laws by offering unlicensed real estate brokerage and travel agent services.
Frank Stronach chooses jury trial in Toronto sexual assault case
Billionaire businessman Frank Stronach, who faces multiple sex assault charges, is opting for a preliminary inquiry and a jury trial in his Toronto case.
BREAKING Man charged with manslaughter in death of missing Cape Breton man
A man has been charged with manslaughter in connection with the disappearance and homicide of a man in Cape Breton this past summer.
Ontario mulls U.S. booze ban as Trump brushes off Ford's threat to cut electricity
Incoming U.S. president Donald Trump is brushing off Ontario's threat to restrict electricity exports in retaliation for sweeping tariffs on Canadian goods, as the province floats the idea of effectively barring sales of American alcohol.