Toronto library attack shows government agencies need to step up cyber security: experts

TORONTO — As the Toronto Public Library slowly works to restore full service after an October cyberattack, experts warn that despite limited resources, public organizations must find ways to strengthen their defenses against ransomware.

Months after the library attack, another city-owned institution suffered a digital breach: The Toronto Zoo announced last month that the personal information of its current, former and retired employees had been stolen.

The zoo said the attackers gained access to past earnings information, Social Security numbers, birthdays, phone numbers and addresses of employees dating back to 1989.

A local library network and a city zoo may not immediately seem prime targets for the global ransomware industry, but one expert says they have a lot to offer potential attackers.

Charles Finlay, executive director of Rogers Cybersecure Catalyst at Toronto Metropolitan University, says public organizations make good targets because they hold significant amounts of personal employee data and taxpayers expect them to be transparent and operational.

CSOs “can't be down for a long time, and that gives ransomware attackers leverage to extort (payments),” he said. “Attackers believe these organizations have the resources to pay large ransoms.”

There is no indication that the library has paid, but restoring services has been a difficult process.

In a statement released Monday, more than three months after the attack, the Toronto Public Library said it had begun putting books back on the shelves, but that its catalog and personal accounts could be offline by the end of this month.

The attack on the zoo appears to have caused relatively little damage operationally, but the zoo has offered two years of credit monitoring services to all potentially affected current and former employees as a “proactive step.”

To protect against future harm, public organizations should adopt cybersecurity best practices, including two-factor authentication, regular software and password updates, and not clicking on links in emails from untrusted senders, Finlay said.

Attackers adapt quickly, and government agencies must evolve as threats change, he added.

“Ransomware is a multi-billion dollar global industry,” he said. “It's very profitable. It's a very complex industry with its own supply chain. It's an industry that innovates at a very fast pace.

“If you can make it a little more expensive, if you can make it a little more difficult for a ransomware group to successfully attack your organization, they'll go and look for something else,” he said.

David Shipley, a cybersecurity expert at Beauceron Security in Fredericton, noted that attackers typically attack areas where they don't live to reduce the likelihood of law enforcement prosecution.

“Most cybercriminals know that it's really stupid to hack in the jurisdiction you live in because that's when you're most likely to be caught and prosecuted,” he said.

Kim Crowley, a prominent cybersecurity writer, points out that even corporations that make substantial profits often struggle to budget adequately for digital security.

“So imagine you're a not-for-profit public service like a library,” he said.

“These entities are not there to make money, so there may be less incentive to spend money on cyber security. And then you can't even decide to spend money on cybersecurity because what if there's a dispute about it? in the library board or in the city hall?”

Community and public bodies should try to pool resources to strengthen collective defense, he said.

The City of Toronto recently said it is looking to consolidate its various departments and agencies into a single, central IT system. The city said that before the latest attacks, neither the zoo nor the library were part of its central IT systems and were not the responsibility of the Office of the Chief Information Security Officer.

One challenge, Crowley said, is that some decision makers see cyber spending as a waste of money.

“I hope this is a wake-up call for the Toronto Public Library and other organizations,” he said. “If they don't have the capacity to run their own security operations center, they can share the security operations center with other organizations.”

This Canadian Press report was first published on February 14, 2024.