Personal info of 25,000 current and former TTC employees may have been stolen in cyber attack, agency says

Thestar.com
Nov. 9, 2021
Ben Spurr

Hackers may have stolen the personal information of up to 25,000 current and former TTC employees in a sophisticated cyber attack late last month, the transit agency says.

The TTC reported on Oct. 29 that it believed it had been the victim of a ransomware attack that resulted in several key internal agency systems being knocked offline. Since then the TTC has been gradually restoring its networks, but in a statement Monday it said that based on its investigation into the incident, “it now appears that the personal information of some TTC employees, former employees and pensioners may have been stolen.”

The affected information may include employee names, addresses and social insurance numbers, the TTC said.

Additionally, the agency is investigating whether information relating to “a small number of customers and vendors may also be affected.”

The TTC statement said for the moment there is no evidence the information that was access has been misused. But the agency is notifying anyone who may have had their information stolen, and is offering three years of free credit monitoring and identity theft protection through consumer credit reporting agency TransUnion. It has also advised employees to call their banks and alert them of the security breach at their employer.

“On behalf of the entire organization, I want to express my deep regret that this has occurred to everyone who may be impacted,” TTC CEO Rick Leary said in a statement.

“It is not lost on me that organizations like ours are entrusted with significant amounts of personal information and it is essential that we do our best to protect it.”

The TTC didn’t immediately explain what customer and vendor information it believes could have been affected by the breach.

The Presto fare card system is overseen by provincial transit agency Metrolinx and is not housed on TTC servers. A spokesperson for Metrolinx said no Presto users’ information was compromised in the attack.

TTC spokesperson Stuart Green said Monday the agency’s investigation so far indicates COVID-19 vaccination information that employees submitted through the TTC’s vaccine portal also hadn’t been accessed.

He didn’t rule out the possibility that hackers had got their hands on other sensitive data the TTC doesn’t yet know about.

“We are still investigating what may have been compromised,” he said.

Carlos Santos, the president of Amalgamated Transit Union Local 113, which represents about 12,000 of the TTC’s current 16,000 employees, said the union “is extremely concerned” about the breach.

“We expect the TTC to treat this issue with the severity it deserves and keep our union leadership and members updated,” Santos said in a statement. He called on management “to take all necessary steps to monitor, protect and retrieve personal employee information and other sensitive data that may have been compromised.”

The TTC has so far released few details about the cyber attack or who may have been behind it. But in his statement, Leary said the agency believes the culprits “belong to an extremely well-organized enterprise.”

He said the hackers encrypted and locked TTC servers during the attack, which resulted in the shutting down of the agency’s Vision system, which transit control uses to communicate with vehicle operators. Vehicle arrival information was also taken offline, as was the Wheel-Trans online booking system and the TTC’s external network connectivity, including its email system.

The TTC has restored what it considers the most important systems but its email capability remained offline Monday afternoon.

Leary said the agency has “been working day and night” to resolve the effects of the attack and will continue restoring its stricken network “over the coming weeks.”

“But in truth, and based on the experiences of other organizations (that have suffered similar attacks), this could take some time,” he acknowledged.