TTC failed to file cybersecurity report, raising questions about its ability to defend itself against hackers – Toronto Star
Two years before the TTC was hit by a ransomware attack that knocked vital communication systems offline and may have compromised the personal information of thousands of its employees, city council directed the transit agency to assess its networks for cybersecurity risks, and draft a plan to shore up its defences.
The TTC and other arm’s-length city agencies were told to submit their cyberthreat assessments and security strategies to the city by the end of 2020. According to the city, none of them did.
Neither the city nor the agencies involved have provided a clear explanation why. The missing reports raise questions about whether Toronto and the organizations it oversees have been doing enough to protect themselves from the growing threat of potentially devastating cyberattacks.
Coun. Paul Ainslie, who chairs the city’s general government and licensing committee, expressed surprise the assessments from municipal agencies, boards, and commissions (ABCs) never materialized, and said the issue was particularly concerning in light of the hack at the TTC.
“I hope it’s not the tip of the iceberg. Every ABC needs to take cybersecurity seriously. ABCs’ IT departments and staff can’t be operating in isolation. It will haunt them,” said Ainslie (Scarborough-Guildwood).
City spokesperson Marcela Mayo said the agencies “have not advised us of a reason for not being able to submit the assessment by the given timeline.” In a statement, TTC spokesperson Stuart Green also didn’t provide details of why the assessment wasn’t done.
But Green said the TTC is currently working on a new cybersecurity assessment process the city started this summer, and “there is no connection” between the timing of that work and the ransomware attack the agency suffered two weeks ago.
The TTC “continues to follow established best practices when it comes to cybersecurity protections” and “we are continually assessing and upgrading security systems to minimize risk,” Green said.
The Star has seen no evidence that TTC completing the assessment as directed would have prevented the ransomware attack it suffered last month.
The security breach that began Oct. 28 shut down the system TTC transit control uses to communicate with its operators, the Wheel-Trans online booking system, next vehicle arrival information and the TTC’s email network. The agency has partially restored affected systems, but the agency announced Nov. 8 the hackers may have stolen the personal information of up to 25,000 current and former employees.
Council’s directive requiring agencies …….