Investigation into full extent of ransomware attack on Toronto Public Library still underway

Canada's largest public library system is still actively trying to understand the impact of a crippling cyberattackin October that shut down its website for months.

In afinal report set to go to the library board on Monday, the Toronto Public Library (TPL) said the full extent of the data breach is still under investigation.

While cardholder, volunteer and donor databases were found not affected, the report says some data about these groups "likely resided" on the compromised file server.

"The larger e-discovery process to investigate whether customer, donor or volunteer data has been taken from the affected file server is underway and will take more time to complete," the report says.

A forensic analysis conducted by third-party experts led the library to conclude that attackers "breached a vulnerability in an internet-facing server, exfiltrating and encrypting data from a file server," the report says.

"TPL will continue to be transparent and notify those affected as appropriate in light of any findings."

City librarian Vickery Bowlessaidthe library has been rebuilding its network and implementing a number of cybersecurity enhancements as a response to the data breach.In the report, she saidthe ransomware attack has provided many opportunities to learn and improve.

"Through this incident, TPL has learned and developed from having received the advice of third-party technical experts," the report says.

Service restoration'complex and detailed'

The library was hit with a significant cybersecurity attack on Oct. 28, 2023, disrupting systems and technology across more than 100 branches. The library previously said the attack is believed to haveexposed the names, social insurance numbers, government identification and addresses of employees dating back to 1998.

Userswereunable to place holds on books, access their accountsor use computers on sitefor months following the cyberattack.

The library's website was partially restored on Jan. 29 but access to the catalogue and online customer accounts remain unavailable. The library report says those servicesareexpected to resume operation later this month.

TPLpreviously saidpublic computer workstations are available, equippedonce more with Internet and Microsoft software to all 100 branches.

"Service restoration has been a complex and detailed process involving enterprise-wide discussions and analysis," according to the report. "Staff have worked tirelessly to restore all services as quickly as possible."

The library says afinal report on the data breach will be sent to the Information and Privacy Commissioner of Ontario.

"The rise in data security and ransomware incidents affecting organizations dedicated to community well-being, including hospitals, school boards, and libraries like TPL, is a disturbing reality," the report says.

"Public sector organizations are increasingly becoming targets, whether motivated by financial gain or sheer malice. In the case of public libraries, dedicated to equity, access to information, intellectual freedom, and openness for all, this represents an attack on the very essence of civil society."