Reports show TTC does not have the measures in place to avert 2021 cyberattack despite internal warnings years earlier
A report by the provincial privacy watchdog has found that Toronto’s public transit system was not prepared for the cyberattack that knocked down some of its communication systems and compromised the private information of more than 25,000 employees in 2021 — despite an internal warning from the commission’s security department issued years prior.
The breach, first reported in late 2021, compromised the personal information of approximately 25,000 past and present employees. That information included employee names, addresses, and social insurance numbers (SIN). The attack also took down several customer-facing systems, including trip-planning apps, the TTC website, and the online Wheel-Trans online booking portal.
While the TTC has released few details about the breach, a report authored by Ontario’s Information and Privacy Commissioner (OIPC) that was released in April sheds some new light on what happened, including the fact that it was made possible after an employee repeatedly fell for a phishing attempt.
The report also suggests that the breach was exacerbated by a failure of the commission to ensure its security software was kept up-to-date, despite having standards in place that
“In the course of investigating , it became clear that at the time the incident occurred, the TTC did not have adequate security guidance in place and, in the case of the vulnerability exploited, failed to apply the guidance it did have in place,” OIPC investigator Jennifer Olijnyk wrote as part of her findings. According to the report, it wasn’t made clear to the investigator why the commission failed to implement a software update that its own security department has recommended
Olijnyk’s findings were not the first to suggest the TTC had been vulnerable to cyberattacks. In 2018, the TTC’s security department warned the commission that it did not have adequate measures in place to safeguard against the risk of cyberattacks, according to an internal report reviewed by CTV News Toronto.
The report, an internal analysis authored by an Emergency Planning Officer in the Security Department, was presented to the commission’s Audit and Risk Management Committee in July 2018, it says.
It recommended that the TTC “revisit” its risk assessment model in use at the time, “as it did not include the consideration of key risks, such as cyberattacks nor was it able to articulate the impact of such an event on the organization.” The commission was also encouraged to adopt the standardized risk assessment process used by the City of Toronto at the time.
Other options, including implementing specific countermeasures and policies to reduce the risk of breaches, were also posited to the commission.
When reached for comment on the findings, the Toronto Transit Commission did not outline what guidance, if any, from the 2018 report it went on to implement, nor did it elaborate on its current cybersecurity measures.
In a statement provided to CTV News Toronto, spokesperson Stuart Green said the commission’s cyber program has ‘“matured to harden its security posture significantly since 2018” and that current protocols are based on industry best practices.
“Like any large organization, cybersecurity is a top priority for the TTC,” Green said. “Ensuring the safety, security and integrity of our networks, operations, and personal data are key corporate priorities.”
“Given the sensitive and confidential nature of these security measures, we can’t comment further except to say that we welcome any recommendations that result in even greater system protections,” he continued.
How did the 2021 cyberattack happen?
The breach, according to Olijnyk’s report, was made possible in two parts: first, the hackers were able to compromise a “trusted” third-party.
From there, the foreign entity inserted a malicious link into email correspondence between that third-party and the commission. An employee then reportedly clicked on that link, allowing access to the TTC’s systems via malware due to the lack of up-to-date security software.
The employee in question had undergone a 31-minute cybersecurity module, which included a section on phishing threats, just one month earlier, the report found.
Upon discovering the breach, the TTC activated its information technology security protocols and notified the public. The notice, issued via press release, said a significant service disruption had been avoided and that there was “no risk to employee or customer safety.”
That was corrected in an update issued by the commission two weeks later. In that notice, it informed the public that the personal information of approximately 25,000 employees may have been compromised, but claimed there was no evidence that any of the information had been misused.
The authors of the report noted that the TTC had provided investigators with a more detailed explanation of how the attack occurred as part of its investigation, but that it asked those details not be published “due to security concerns.”
According to Dr. Diogo Barrados, with the Cheritan School of Computer Science in Waterloo, the kind of attack experienced by the commission in 2021 was “pretty typical.”
“These kinds of data breaches typically involve some kind of human error – or what technically we like to call social engineering – in the sense that you try to make someone click some malicious link, or you make someone download malicious attachments,” Barrados said.
“Then, once the threat actor has established a foothold inside the system, there can be an opportunity for that malicious code to spread,” he said. In this case, that was possible by the lack of software update at the time of the breach.Software vulnerabilities are something that we’ve been having discussions about since the early 80s. So the methods of attack are still similar and we are still having the same issues.”
In her report, the investigator recommended that the commission adjust its cybersecurity policies to align itself with recommendations published by the Information and Privacy Commissioner in 2019 that were meant to serve as a detailed guideline for mitigating cyber risks.
These recommendations included segmenting networks that contain sensitive data, employing threat protection and endpoint protection tools, enabling encryption, and conducting regular phishing awareness.
As part of the investigation, the commission outlined specific plans to implement the above measures, with the first quarter of 2024 being the latest expected completion date. The TTC did not respond to CTV News when asked if, as of June, the recommendations had been implemented in full.
What are other public agencies doing?
When asked about its cybersecurity policy, Metrolinx, another public transit agency in Ontario, said in a written statement it has “protections in place to ensure that customer information is protected.”
The agency, which boasts a workforce about half the size of the TTC’s, says it conducts regular tests to monitor its IT systems and “continually” looks for ways to strengthen its network. While it did not elaborate on the full extent of those measures, the transit agency said it employs encryption on all PRESTO and GO e-ticket transactions, and that its internal employee networks remain separate.
As for education, all Metrolinx workers and contractors are required to complete an annual cyber training module, it said.
What lessons should public agencies take away?
To adequately tackle the threat of cyber attacks, public bodies need a two-fold defence, Barrados said.
It’s not enough to have an annual cybersecurity model, Barrados continued. More comprehensive, frequent models will need to be paired with additional measures, like employing layers of segmentation – or separation – between networks with sensitive information.
“You can train your personnel, but you cannot be by their side 24/7, so I really think to achieve this kind of security, from the higher to low level systems, we do need multiple layers of defense,” he said. “So that even if a breach occurs, it cannot spread through all of the systems.”
Resources such as encryption and automated security verification tools can also be useful, the professor said.
There also needs to be a will to ensure those measures are in place.
“The problem then is that even when some vulnerabilities are found and corrections are made for it, these [security] software patches are not applied for months, or even years at times, which again, seems to be the case at the TTC,” Barrados said. “This means there is a kind-of fine line for whoever’s managing the system to actually recognize these vulnerabilities and then deploy them correctly.”
It’s a nuanced problem that requires nuanced solutions – from all levels of government – but ultimately, the advice remains the same as it was decades ago, the professor continued.
“It’s the kind of advice that we’ve been giving for maybe 40 years now: security should not be an afterthought,” he said.
“But that needs to happen by design, not as an afterthought.”
This article was first reported by CTV News