The Toronto Transit Commission has confirmed that the personal information of tens of thousands of employees may have been compromised as a result of a ransomware attack on its systems last month.
The TTC, which operates Toronto's bus, subway, streetcar and paratransit systems, said in a statement that the compromised data includes the names, addresses and Social Insurance Numbers of 25,000 past and present employees. The agency said it's continuing to investigate whether a "small number" of customers and vendors have also been affected.
The agency added that while there is “no evidence” that any of the information has been misused, it is notifying those individuals affected and will provide them with credit monitoring and identity theft protection. The TCC has also advised employees to call their banks and alert them of the security breach.
The ransomware attack on October 29 resulted in problems with vehicle tracking and "next bus" systems, and the loss of the online Wheel-Trans booking system, said TTC chief executive Rick Leary. He added that the incident resulted in "a number of the TTC’s servers being encrypted and locked,” While most customer-facing systems have been restored already, the TTC’s internal email system remains offline.
“On behalf of the entire organization, I want to express my deep regret that this has occurred to everyone who may be impacted,” said Leary. “It is not lost on me that organizations like ours are entrusted with significant amounts of personal information and it is essential that we do our best to protect it.
"Over the coming weeks, we will continue rebuilding the remaining impacted servers and internal services, like re-establishing external e-mail capabilities. But in truth, and based on the experiences of other organizations, this could take some time."
Leary added the fact there have been nearly 700 similar cybersecurity attacks involving public and private sectors groups in Canada. On October 30, the day before TCC's ransomware attack, a separate cyberattack struck Newfoundland and Labrador's health system data centres. In a statement released this week, the provincial government said “it has been determined that some personal information and personal health information was accessed from the systems.”