Toronto Public Library website back online after ransomware attack

Canada's largest library system said it expects its network of 2,000 public computers, its online catalogue and the "Your Account" feature to be available next month.

Thestar.com
Jan. 30, 2024
Rachel Mendelson, Emily Fagan

Three months after a debilitating ransomware attack hit the Toronto Public Library (TPL), its website is up and running again -- an “important milestone in our recovery efforts,” the library said.

“We’re just as eager as you are for things to get back to normal,” TPL said in a post on X on Monday. “Full recovery is a gradual process, and the end is in sight. Thanks so much for sticking with us!”

TPL has said it expects its network of 2,000 public computers, which are a lifeline for those who depend on them to apply for jobs, housing and government services, to be available for booking early next month. The library’s popular online catalogue and the “Your Account” feature, which allow users to search for and reserve items, should be working again by late February.

“The full and safe recovery of our services will take time, and we truly appreciate your patience and understanding during this challenging time,” TPL said in a statement.

Canada’s largest library system has said it refused to pay those responsible for the attack -- who have been identified as the Russia-linked Black Basta group. The library has alleged that those responsible stole a “large number of files” from a server containing employee information, including names, social insurance numbers, dates of birth and home addresses.

The stolen data might be published on the dark web, the library said. TPL has hired a cybersecurity expert to assess the extent of the breach.

The library’s cardholder and donor databases weren’t affected, but some data from customers, donors and volunteers that was located on the compromised file server may have been exposed, the library said.

“It will take us time to analyze data to determine who is affected and how. We will continue to be transparent and notify those affected as appropriate and in light of our findings,” the library said.

New details are also emerging about another ransomware attack earlier this month, targeting the Toronto Zoo.

The ransomware gang that stole the personal data of current and former zoo employees has identified itself as Akira.

In a post on its data leak site on the dark web, the international crime group believed to have formed last year says that unless the zoo pays a ransom, 133 gigabytes of data will “be published soon,” including nondisclosure agreements and personal documents, such as drivers’ licences.

The city-owned zoo will not pay the $1.6 million ransom demand, zoo board chair Coun. Paul Ainslie said in an interview on Monday. The zoo is working with Toronto police, city cybersecurity staff and outside experts to protect the computer system and ensure it’s not vulnerable to another attack, Ainslie said.

The zoo and the library have both offered current and past employees free use of a credit monitoring service for two years to check for signs of identity fraud using their stolen information.

The zoo didn’t experience a major loss of website functions and the attack didn’t affect the safety of animals, the zoo said.

Brett Callow, a threat analyst with Canadian cybersecurity firm Emsisoft, said Akira’s targets are varied. Ransom demands can range from tens of thousands of dollars to more than $100 million, Callow said.

“They don’t seem to have a type of victim -- it seems to be any organization that could potentially pay,” he said.

But even organizations that do pay might not be free of Akira, Callow said. In some cases, he said Akira has returned to those who paid ransoms, posing as a security consultant claiming that Akira still had sensitive data, which would require further payment to delete.