TTC lacked proper measures to prevent 2021 cyberattack despite internal warning years earlier: reports

A report by the provincial privacy watchdog has found that Toronto’s public transit system was not prepared for the cyberattack that knocked down some of its communication systems and compromised the private information of more than 25,000 employees in 2021 -- despite an internal warning from the commission's security department issued years prior.

A report by the provincial privacy watchdog has found that Toronto’s public transit system was not prepared for the cyberattack that knocked down some of its communication systems and compromised the private information of more than 25,000 employees in 2021 -- despite an internal warning from the commission's security department issued years prior.

The breach, first reported in late 2021, compromised the personal information of approximately 25,000 past and present employees. That information included employee names, addresses, and social insurance numbers (SIN). The attack also took down several customer-facing systems, including trip-planning apps, the TTC website, and the online Wheel-Trans online booking portal.

While the TTC has released few details about the breach, a report authored by Ontario’s Information and Privacy Commissioner (OIPC) that was released in April sheds some new light on what happened, including the fact that it was made possible after an employee repeatedly fell for a phishing attempt.

The report also suggests that the breach was exacerbated by a failure of the commission to ensure its security software was kept up-to-date, despite having standards in place that instructed otherwise.

“In the course of investigating [...], it became clear that at the time the incident occurred, the TTC did not have adequate security guidance in place [...] and, in the case of the vulnerability exploited, failed to apply the guidance it did have in place,” OIPC investigator Jennifer Olijnyk wrote as part of her findings. According to the report, it wasn’t made clear to the investigator why the commission failed to implement a software update that its own security department has recommended

Olijnyk's findings were not the first to suggest the TTC had been vulnerable to cyberattacks. In 2018, the TTC's security department warned the commission that it did not have adequate measures in place to safeguard against the risk of cyberattacks, according to an internal report reviewed by CTV News Toronto.

The report, an internal analysis authored by an Emergency Planning Officer in the Security Department, was presented to the commission's Audit and Risk Management Committee in July 2018, it says.