(DIR) Home
TTC cyberattack: Report suggests commission lacked proper measures to
prevent 2021 breach
(HTM) Source
----------------------------------------------------------------------
A report by the provincial privacy watchdog has found that Toronto's
public transit system was not prepared for the cyberattack that
knocked down some of its communication systems and compromised the
private information of more than 25,000 employees in 2021 -- despite
an internal warning from the commission's security department issued
years prior.
The breach, first reported in late 2021, compromised the personal
information of approximately 25,000 past and present employees. That
information included employee names, addresses, and social insurance
numbers (SIN). The attack also took down several customer-facing
systems, including trip-planning apps, the TTC website, and the online
Wheel-Trans online booking portal.
While the TTC has released few details about the breach, a report
authored by Ontario's Information and Privacy Commissioner (OIPC) that
was released in April sheds some new light on what happened, including
the fact that it was made possible after an employee fell for a
phishing attempt.
The report also suggests that the breach was exacerbated by a failure
of the commission to ensure its security software was kept up-to-date,
despite having standards in place that instructed otherwise.
"In the course of investigating [...], it became clear that at the
time the incident occurred, the TTC did not have adequate security
guidance in place [...] and, in the case of the vulnerability
exploited, failed to apply the guidance it did have in place," OIPC
investigator Jennifer Olijnyk wrote as part of her findings. According
to the report, it wasn't made clear to the investigator why the
commission failed to implement a software update that its own security
department has recommended
Olijnyk's findings were not the first to suggest the TTC had been
vulnerable to cyberattacks. In 2018, the TTC's security department
warned the commission that it did not have adequate measures in place
to safeguard against the risk of cyberattacks, according to an
internal report reviewed by CTV News Toronto.
The report, an internal analysis authored by an Emergency Planning
Officer in the Security Department, was presented to the commission's
Audit and Risk Management Committee in July 2018, it says.
It recommended that the TTC "revisit" its risk assessment model in use
at the time, "as it [did] not include the consideration of key risks,
such as cyberattacks […] nor [was] it able to articulate the impact of
such an event on the organization." The commission was also encouraged
to adopt the standardized risk assessment process used by the City of
Toronto at the time.
Other options, including implementing specific countermeasures and
policies to reduce the risk of breaches, were also posited to the
commission.
When reached for comment on the findings, the Toronto Transit
Commission did not outline what guidance, if any, from the 2018 report
it went on to implement, nor did it elaborate on its current
cybersecurity measures.
In a statement provided to CTV News Toronto, spokesperson Stuart Green
said the commission's cyber program has '"matured to harden [its]
security posture significantly since 2018" and that current protocols
are based on industry best practices.
"Like any large organization, cybersecurity is a top priority for the
TTC," Green said. "Ensuring the safety, security and integrity of our
networks, operations, and personal data are key corporate priorities."
"Given the sensitive and confidential nature of these security
measures, we can't comment further except to say that we welcome any
recommendations that result in even greater system protections," he
continued.
## How did the 2021 cyberattack happen?
The breach, according to Olijnyk's report, was made possible in two
parts: first, the hackers were able to compromise a "trusted" third-
party.
From there, the foreign entity inserted a malicious link into email
correspondence between that third-party and the commission. An
employee then reportedly clicked on that link, allowing access to the
TTC's systems via malware due to the lack of up-to-date security
software.
The employee in question had undergone a 31-minute cybersecurity
module, which included a section on phishing threats, just one month
earlier, the report found.
Upon discovering the breach, the TTC activated its information
technology security protocols and notified the public. The notice,
issued via press release, said a significant service disruption had
been avoided and that there was "no risk to employee or customer
safety."
That was corrected in an update issued by the commission two weeks
later. In that notice, it informed the public that the personal
information of approximately 25,000 employees may have been
compromised, but claimed there was no evidence that any of the
information had been misused.
The authors of the report noted that the TTC had provided
investigators with a more detailed explanation of how the attack
occurred as part of its investigation, but that it asked those details
not be published "due to security concerns."
According to Dr. Diogo Barrados, with the Cheritan School of Computer
Science in Waterloo, the kind of attack experienced by the commission
in 2021 was "pretty typical."
"These kinds of data breaches typically involve some kind of human
error - or what technically we like to call social engineering - in
the sense that you try to make someone click some malicious link, or
you make someone download malicious attachments," Barrados said.
"Then, once the threat actor has established a foothold inside the
system, there can be an opportunity for that malicious code to
spread," he said. In this case, that was possible by the lack of
software update at the time of the breach. Software vulnerabilities
are something that we've been having discussions about since the early
80s. So the methods [of attack] are still similar and we are still
having the same issues."
In her report, the investigator recommended that the commission adjust
its cybersecurity policies to align itself with recommendations
published by the Information and Privacy Commissioner in 2019 that
were meant to serve as a detailed guideline for mitigating cyber
risks.
These recommendations included segmenting networks that contain
sensitive data, employing threat protection and endpoint protection
tools, enabling encryption, and conducting regular phishing awareness.
As part of the investigation, the commission outlined specific plans
to implement the above measures, with the first quarter of 2024 being
the latest expected completion date. The TTC did not respond to CTV
News when asked if, as of June, the recommendations had been
implemented in full.
## What are other public agencies doing?
When asked about its cybersecurity policy, Metrolinx, another public
transit agency in Ontario, said in a written statement it has
"protections in place to ensure that customer information is
protected."
The agency, which boasts a workforce about half the size of the TTC's,
says it conducts regular tests to monitor its IT systems and
"continually" looks for ways to strengthen its network. While it did
not elaborate on the full extent of those measures, the transit agency
said it employs encryption on all PRESTO and GO e-ticket transactions,
and that its internal employee networks remain separate.
As for education, all Metrolinx workers and contractors are required
to complete an annual cyber training module, it said.
## What lessons should public agencies take away?
To adequately tackle the threat of cyber attacks, public bodies need a
two-fold defence, Barrados said.
It's not enough to have an annual cybersecurity model, Barrados
continued. More comprehensive, frequent models will need to be paired
with additional measures, like employing layers of segmentation - or
separation - between networks with sensitive information.
"You can train your personnel, but you cannot be by their side 24/7,
so I really think to achieve this kind of security, from the higher to
low level systems, we do need multiple layers of defense," he said.
"So that even if a breach occurs, it cannot spread through all of the
systems."
Resources such as encryption and automated security verification tools
can also be useful, the professor said.
There also needs to be a will to ensure those measures are in place.
"The problem then is that even when some vulnerabilities are found and
corrections are made for it, these [security] software patches are not
applied for months, or even years at times, which again, seems to be
the case at the TTC," Barrados said. "This means there is a kind-of
fine line for whoever's managing the system to actually recognize
these vulnerabilities [...] and then deploy them correctly."
It's a nuanced problem that requires nuanced solutions - from all
levels of government - but ultimately, the advice remains the same as
it was decades ago, the professor continued.
"It's the kind of advice that we've been giving for maybe 40 years
now: security should not be an afterthought," he said.
"But that needs to happen by design, not as an afterthought."
______________________________________________________________________
Served by Flask-Gopher/2.2.1