The city of Toronto is working to bring its various boards and agencies under a single centralized IT system to avoid another catastrophic cyberattack.

Toronto has suffered two notable cyberattacks in recent months, with the attack on the Toronto Public Library in October crippling library systems for several months, making it difficult for patrons to use computer facilities and borrow items.

Another attack targeted the Toronto Zoo earlier this month.

In both cases, hackers stole personal information about employees, and the zoo said the stolen information included past payroll information, social insurance numbers, birth dates, phone numbers, and home addresses.

In an email to CP24.com, the city confirmed that the zoo and the library were not part of Toronto's centralized IT systems before the attack, and were not under the responsibility of the Chief Information Security Officer's office.

The city said: “Agencies, boards, and corporations are responsible for their own cybersecurity and are separate from the city's centralized system portfolio.”

According to the city, the Chief Information Security Officer (CISO) office "creates and oversees the city's comprehensive cyber strategy to detect, prevent, respond to, and recover from cyber threats."

However, while this office provides cybersecurity services such as cyber assessments and staff training to agencies, boards, and corporations, these entities do not fall under its responsibility.

The city of Toronto has dozens of agencies, boards, and corporations, including Toronto Police, TTC, Toronto Hydro, and Toronto Community Housing.

Mayor Olivia Chow said last week that although Toronto's centralized system is considered highly secure, many boards and agencies in the city have systems that are not part of the centralized system, noting that the city is now working to change that.

Chow added in an announcement regarding increased funding for libraries: “The main system in the city of Toronto is one of the most secure systems in North America, ranking second after New York.” “We have many agencies, boards, and committees. We are calling on boards, agencies, and committees to join the IT system in downtown Toronto to be more secure. And that is happening now.

However, the city has experienced its own breaches in the past, and in 2021, the city said it was a victim of a “potential cyber breach” related to a third-party file transfer program, clarifying at the time that other organizations were affected by the same attack, and noting that it “successfully repels cyber attacks on a daily basis.”

Experts say the recent attacks highlight how vulnerable local institutions are to attacks by cybercriminals, and they say such attacks are likely to increase in the future.

Local institutions are attractive targets for cyberattacks

Tech analyst Carmi Levy told CP24.com in an interview: “There is no doubt that we are witnessing increasing numbers of cyberattacks, increasing complexity of cyberattacks, and a spread in targeting, with organizations and sectors that were not previously in the firing line now finding themselves increasingly targeted.

“And all of this comes for profit. Money can be made from cybercriminal activities, and data is the currency used in the world of cybercriminals. And there is a lot of data that can be obtained.”

He said cybercriminals, who often operate from abroad, are increasingly aware of institutions where large amounts of personal data may flow through systems with relatively low investment in security.

Levy said: “Because these organizations are largely publicly funded and don’t have the budgets, staff, and support for proactive investments in cybersecurity, you almost have the perfect ingredients for successful cyberattacks.” “Because you have high-value targets on one hand and relatively low investment in cybersecurity on the other, and this attracts cybercriminals.

He said public institutions that have outsourced some of their IT services to external providers have also learned the hard way that they are vulnerable if third-party providers are compromised. He said this was the case with the recent cyberattack targeting a group of Ontario hospitals all using a common external provider.

He said that although investing in improving cybersecurity may be more costly, not doing so could be much more expensive.

He continued, “I look at cybersecurity preparedness like insurance; it’s not exciting. No one wants to talk about it. Everyone considers it an unnecessary expense, and usually, that’s the first place they try to cut budgets.” “But the cost of investing in cybersecurity preparedness, having the right technologies, staff, and training, pales in comparison to the cost of recovering from a successful cyberattack.”

While the costs of the recent attacks in the city are not yet known, a recent study conducted by Palo Alto Networks for the Angus Reid Institute found that the average ransom paid by mid-sized Canadian companies to cybercriminals has jumped to over $1.13 million.

The city said no ransom was paid in connection with its recent cyberattacks.

In a recent interview with Newstalk 1010, TMU cybersecurity expert Charles Finley made municipal institutions particularly attractive targets because they serve so many people.

“So municipalities are really important, and the importance of the services municipalities provide—think water, sewage water, 911, fire, emergency, police—all those parts of the services they really provide,” he said. “They paid the price they had for the cyberattack.”

In the current context, it may come as a surprise that the city actually plans to spend less on cybersecurity in its latest budget than it did last year.

However, Shelley Carroll, budget chair, said that although the CISO office is indeed scheduled to see a budget cut this year, the higher budgets in previous years were in place to help establish the office, and staff now feel they can achieve the same with less in a budget environment where every department is being asked to cut back.

She said centralizing all the city's various agencies under one IT roof aligns with what other municipalities are doing as they recognize the increasing threat of cyberattacks.

She told reporters recently, “Every public body, especially at the municipal level, in North America is tightening those systems.” She said this step will also help attract better talent which will benefit all local government agencies and will save costs through central purchasing.

Meanwhile, the city said it expects its library systems to gradually come back online during February.