In a statement released on Nov. 9, the Toronto Public Library (TPL) has officially addressed a cybersecurity incident that unfolded earlier in the day, marking it as a ransomware attack. The incident has impacted several key services, including tpl.ca, “your account,” tpl:map passes, and digital collections. Concurrently, public computers, printing services, and certain online services are currently unavailable.
Despite the disruption to online services, TPL said that all library branches remain open as scheduled. While some services are affected, wifi is still available, and library branch telephone lines are operational. Individuals can continue borrowing and returning materials in branches until further notice.
TPL emphasized that, at this point, “there continues to be no evidence at this time that the personal information of our staff or customers has been compromised.”
In response to the incident, TPL has taken proactive measures, engaging with third-party cybersecurity experts and law enforcement to address and mitigate the impacts of the ransomware attack.
The organization anticipates a comprehensive restoration of all systems to normal operations, with a projected timeline of a week or more. However, TPL expects to bring some services back online before the full restoration.
StreetsofToronto.com spoke to cybersecurity expert Charles Finlay the founding executive director of the Rogers Cybersecure Catalyst at Toronto Metropolitan University about ransomeware attacks, what’s at stake for TPL and what it means to Torontonians.
What can you tell us about the TPL attack?
So what the library is saying in their public statements, and that’s all I have access to, is that they have been the victim of a ransomware attack. A ransomware attack is an attack launched by a organisation or individual in which the objective is to seize the system, or data of the target organisation, or sometimes both, for the purposes of extorting money. So, typically what happens is that a ransomware gang, although in this case, we have no idea who’s behind this, that’s not being publicly reported. But typically, a ransomware game will seize an organization’s digital infrastructure, their computer systems, and will only release the operation of those systems back to their rightful operators if a ransom is paid?
In general terms, how common is this type of attack?
Unfortunately, it’s common and becoming more common. We’ve seen major ransomware attacks against public institutions in Canada, including hospitals. educational institutions, both at the secondary, and at the university level. We’ve seen major ransomware attacks in North America against energy infrastructure. We’ve seen major attacks against governments and other kinds of public institutions. Ransomware is a multibillion dollar international industry. It’s a very profitable, illegal business. And, a major challenge for organisations of all kinds and for civil society, law enforcement, and all of us.
Is the general consensus that you just have to pay and move on, or is there a way to combat cybersecurity incidents?
Well, it really depends on the nature of the attack, the nature of the systems that have been seized and the kind of organisation that’s been impacted. So what the Toronto Public Library is telling us is that they had proactively planned for this eventuality, which is important. That’s a critical step, to plan in advance for this kind of attack. They have indicated that they have engaged third-party cybersecurity experts who are working with them likely to understand the exact, you know, malware that is being used. And you know, what the options are to the organisation in terms of mitigating the attack. And then decisions have to be made at the organization about whether to pay the ransom or not. Law enforcement agencies advise against paying ransoms because it obviously continues a vicious cycle of these attacks being profitable and continues the blight of ransomware attacks. But in some cases, organisations have to do what they have to do in order to maintain their operations.
What risk is there in terms of people’s information with the library?
It really depends on what kind of information the library collects on people. I’m not an expert in that. But certainly, generally speaking, it creates a risk of confidential personal information being disclosed if the victim organization collects that information in the first instance. So, for example, in the case of attacks on hospitals, and other kinds of an on on corporations, sensitive corporate and personal data can be exposed.
Okay, so the ransomware attacks could be partly to extort money and partly to gather that information to sell to a third party?
Yes, it certainly can be. And sometimes there’s double extortion where the money is extorted around the release of the systems, and then money is also extorted around the protection of the data. So we’re seeing that, more and more. I don’t know if the Toronto Public Library collects sensitive data related to clients who use their systems.
Are these ever personal attacks, going after individual computer systems and extorting money from regular people, or is it just corporations and organizations?
Typically no, well, there are different kinds of Internet-enabled extortion that can target individuals. But this kind of a ransomware attack that they’re talking about is usually launched against an organization from which the attacker hopes that they can extort a significant amount of money. And it’s usually not personal in the sense of there being a personal motivation behind these attacks. They’re essentially hold ups. They’re intended to reap maximum rewards for the ransomware gang that launched the attack
What is the likelihood these ransomware attacks like the people doing this are caught?
It’s a really important question. In many cases, the ransomware attackers are actually based overseas, in jurisdictions where law enforcement isn’t going to be able to reach them. For example, we’ve seen significant attacks launched by ransomware gangs in Russia, North Korea, and Iran. And, obviously, law enforcement is not going to be able to to access those. But law enforcement in Canada is becoming much more active and is working with international partners in an effort to try to bring prosecutions against ransomware attackers and create a deterrent for this kind of attack, but it’s very difficult police work, and it’s a challenging environment.