The Toronto Transit Commission (TTC) was the victim of a cyberattack. A threat actor gained access to its systems via a phishing attack, used malware to encrypt these systems, and exfiltrated data. The TTC notified the IPC, its employees, and the public of this privacy breach. It was later able to restore nearly all of its systems from backups and hired experts to determine the information that had been exfiltrated, and how the attack occurred. They found that the TTC’s failure to install a patch for a known security vulnerability contributed to the attack.
In this report, I conclude that the TTC did not have reasonable security measures in place to prevent unauthorized access to the personal information on its systems. However, the TTC put additional security measures in place following the attack. It also implemented detailed revised guidance on scanning for vulnerabilities and installing patches. These set out timelines and state who is responsible for these tasks. Based on the measures that the TTC has taken since the breach, I am generally satisfied with their response to the breach, though I recommend that they implement guidance on using encryption as a default.