Toronto Public Library cyberattack: A wake-up call for stronger security

Case of Note: File MR23-00112 

Background

In November 2023, the Toronto Public Library (TPL) reported a cybersecurity breach to the Office of the Information and Privacy Commissioner of Ontario (IPC). The breach, which related to a ransomware attack, was first detected in October 2023 when TPL noticed suspicious activity on its network and learned that an unauthorized party had encrypted certain networks and stolen a significant number of files from its file server.  

TPL immediately responded by activating its Major Cyber Security Incident Playbook and Privacy Breach Protocol. It engaged its core incident response team, external legal counsel, and a third-party security consultant to help contain the breach and conduct a forensic investigation. TPL reported that the incident was contained within 24 hours but could not determine its root cause.

TPL conducted an e-discovery process to assess the full scope of the breach. The findings revealed that the breach affected the personal information of approximately 8,018 current and former staff, approximately 1,874 of their beneficiaries and dependents, and 4,100 (or fewer) customers, donors, contractors, volunteers, and unsuccessful job applicants.  

Findings

At the time of the attack, TPL had security measures in place including critical endpoint patches and domain controllers that were hardened following standard procedures and policies (hardening generally involves reducing the number of pathways that an attacker can take to get access to the network). However, TPL acknowledged that certain applications and operating systems were identified as end of life or unsupported by a third-party vendor, requiring remediation.  

The IPC noted that security vulnerabilities existed at the time of the incident and that the threat remained undetected in the TPL environment for more than two months. The IPC noted that a more proactive approach to identifying, analyzing, and addressing privacy risks in TPL’s applications and systems could have helped prevent or reduce the likelihood of a significant privacy breach. It was also concerning that the root cause of the incident remained unknown.

To contain the breach, TPL took several steps, including:

• quarantining all endpoints, servers, and workstations
• visiting each physical TPL location to inspect and remedy hardware
• forensically reviewing, cleaning and restoring or rebuilding more than 200 servers

To further strengthen its security and remediate the breach, TPL reported that it:

• improved its policies and procedures for logging and monitoring system events and detecting potential security threats
• enhanced its network security policies to mitigate unauthorized data movement between systems
• applied standard server hardening policies and configurations to its systems

TPL issued public statements and frequently asked questions to inform the public about the breach and provided notification to some of the impacted groups, but not all. For several months, the IPC encouraged TPL to consider the larger number of affected individuals, the sensitivity of the information, and the risk of abuse of the information at issue when deciding who to notify of the breach. Eventually, TPL did provide direct or indirect notice to all affected parties.  

The IPC also recommended that the TPL review and update its privacy training to ensure it meets current cybersecurity industry standards.  

After reviewing the circumstances of the breach and TPL’s follow up actions, and having worked with TPL for several months, the IPC was satisfied that TPL responded adequately. As a result, no further review was required.  

Key takeaways

1. Public sector organizations need to routinely assess and address security risks in their systems and applications, rather than waiting for issues to arise.
2. Public sector organizations should take proactive steps to reduce the risk of unauthorized parties gaining access to their information technology systems by:
   • implementing email security controls to detect and block emails with suspicious links, malicious attachments, and spoofed sender addresses
   • establishing a vulnerability management program
   • following system hardening best practices

• developing strategies to mitigate risks associated with out-of-date systems  
• restricting employee access to high-risk or suspicious websites
• enforcing strong authentication practices, including secure passwords, password management, strong multi-factor authentication, and restrictions on password reuse

3. To detect, prevent, and recover from a ransomware attack, public sector organizations should put in place safeguards such as:

• establishing regular backups of data and systems in a secure, offline environment
• monitoring the integrity of records for unusual activity, such as unexpected changes to large numbers of files or to highly sensitive information
• detecting the unauthorized use of encryption tools and application programming interfaces (APIs) to prevent data from being locked or encrypted  
• using data loss prevention tools to log, monitor, and block network traffic of irregular file transfers to untrusted destinations or known file upload websites

4. Public sector organizations must regularly review and update their privacy training program to ensure it addresses risks related to unauthorized accesses to personal information. Training should align with current industry best practices, adopt an industry standard cybersecurity framework, and include measures to address serious malicious threats.  
5. Public sector organizations should notify all individuals affected by a breach as soon as possible. Notification should be direct, such as by telephone, letter, email or in person. If direct notification is not possible or reasonably practical, indirect methods may be used.

Additional resources

• Privacy Breaches: Guidelines for Public Sector Organizations
• How to Protect Against Ransomware
• Protect Against Phishing
• Managing breaches