The city is working to bring its various boards and agencies under a single central IT system as Toronto works to avoid another disastrous cyberattack.

Toronto has been hit with two notable cyberattacks over the past few months.

An attack on the Toronto Public Library in October has crippled the library’s systems for months, making it difficult for patrons to use computer facilities and borrow items.

Another attack targeted the Toronto Zoo earlier this month.

In both cases, hackers stole personal information about employees. The zoo said that the stolen information included past earnings information, social insurance numbers, birthdates, telephone numbers and home addresses.

In an email to CP24.com, the city confirmed that neither the zoo nor the library were part of Toronto's central IT systems prior to the attack, nor did they fall under the responsibility of the Office of the Chief Information Security Officer.

“Agencies, boards and corporations are responsible for their own cybersecurity and are separate from the City’s centralized set of systems” the city said.

According to the city, The Office of the Chief Information Security Officer (CISO) “establishes and oversees the city's overall cyber strategy to detect, prevent, respond, and recover from cyber threats.”

But while hat office offers cybersecurity services such as cyber assessments and employee training to agencies, boards and corporations, those bodies don’t fall under its responsibility.

The City of Toronto has dozens of agencies, boards and corporations, including Toronto police, the TTC, Toronto Hydro and Toronto Community Housing.

Mayor Olivia Chow said last week that while Toronto's central system is considered to be very secure, various boards and agencies at the city have systems which are not part of the central system. She said the city is now working to change that.

“The City of Toronto’s main system is one of the most secure in North America, second to New York,” Chow said at an announcement about bolstering funding for libraries. “We have a lot of agencies, boards and commissions. We're inviting the boards, agencies and commissions to join into the central City of Toronto IT system so that they are far more secure. And this is the process of what's happening.”

But the city has nonetheless experienced its own breaches in the past. In 2021, the city said it had been the victim of “a potential cyber breach” related to third-party file transfer software. The city said at the time that other organizations had been affected by the same attack and noted that it “successfully wards off cyber attacks on a daily basis.”

Experts say that the recent attacks highlight the vulnerability of local institutions to attacks from cyber criminals and say that such attacks are only likely to increase in the future.

 

Local institutions make attractive targets for cyberattacks

“There's no doubt we are seeing increased numbers of cyberattacks, we are seeing increased sophistication of the cyberattacks, and we are seeing a spread in terms of the targeting,” Tech Analyst Carmi Levi told CP24.com in an interview. “Organizations and sectors that previously would not have been in the crosshairs, are increasingly finding themselves being targeted.

“And it all comes down to profit. There’s money to be made from cybercriminal activity and data is the currency of the cybercriminal world. And there's lots of data to be had out there.”

He said cybercriminals, often operating from abroad, are increasingly aware of institutions where large volumes of personal data may be flowing through systems where there has been relatively low investment in security.

“Because these are largely publicly funded organizations that don't have the budgets and the staffing and the support for proactive cybersecurity investments, you almost have the perfect ingredients for successful cyberattacks,” Levi said. “Because you have high value targets on one end, and relatively low investments in cybersecurity on the other. And that attracts cybercriminals like moths to a flame.”

He said public institutions which have contracted out some of their IT services to third-party providers have also learned the hard way that they are vulnerable if those third-party providers are vulnerable. That was the case, he said, with a recent cyberattack which targeted a group of Ontario hospitals which all used a common third-party provider.

He said that while it may cost more to invest in better cybersecurity, not doing so can prove to be far more expensive.

“I look at cybersecurity preparedness like insurance. It isn't sexy. Nobody wants to talk about it. Everyone sees it as an unnecessary expense. And that's usually the first place they try to trim the budget,” Levi said. “But the cost of investing in cybersecurity preparedness and having the right technologies and staffing and training in place, pale in comparison to the cost of recovering from a successful cyberattack.”

While the costs of the city’s latest attacks is not yet known, a recent survey by Palo Alto Networks for the Angus Reid Institute found that the average ransom paid by mid-size Canadian companies to cyber criminals has jumped to more than $1.13 million.

The city has said that no ransom has been paid in connection with its recent cyberattacks.

In a recent interview with Newstalk 1010, TMU cyber security expert Charles Finlay sad municipal institutions make particularly attractive targets because they serve so many people.

“So it's really the importance of municipalities, the importance of the services that municipalities deliver — think of water, wastewater, 911, fire, emergency, police — all of those pieces, it's the importance of municipalities and the services that they provide that really drive the vulnerability that they have to cyberattack,” he said.

 

City set to spend less on CISO in latest budget

In the current context it might raise some eyebrows that the city is, in fact, planning to spend less on cybersecurity in its latest budget than it did last year.

However Budget Chief Shelley Carroll said that while the CISO office is in fact set to see a cut to its budget this year, the higher budget in previous years was there in order to help get the office established, and staff now feel that they can make do with less in the context of a budget environment where every department has been asked to make cuts.

She said that centralizing all of the city’s various agencies under one IT roof is consistent with what other municipalities are doing as they recognize the growing threat of cyberattacks.

“Every public body, particularly at the municipal level, in North America is tightening up those systems,” she told reporters recently. She said the move will also help attract better talent that all local government agencies will benefit from, and save costs through central purchasing.

Meanwhile the city has said that it expects its library systems to gradually come back online through February.