Cyber threats are on the rise and continue to evolve. Many municipalities in Canada and the U.S. have been affected by cyberattacks in recent years. The Toronto Transit Commission was recently hit by a ransomware attack in October 2021.
In Canada, the estimated average cost of a data breach is $6.35 million. As cybersecurity threats expand and become more complex, the Auditor General continues to proactively examine the controls and evolving cyber threats to the City, its agencies and corporations, and make recommendations to improve cybersecurity.
Cyber attackers leverage the data available over the internet for an organization and its staff to launch cyberattacks. It is important that the data available over the internet is monitored, and actions are taken to reduce the cyberattack surface. We used Open-Source Intelligence (OSINT) gathering for data available on the internet to perform this review.
The objective of this review was to identify information available over the internet that may present cybersecurity risks to the City and its agencies and corporations. The organizations reviewed included:
- City of Toronto
- Toronto Police Service
- Toronto Public Library
- Toronto Transit Commission (TTC)
- Toronto Hydro
This report contains two recommendations. The confidential findings and recommendations from our review are contained in the Confidential Attachment 1 to this report.
The Confidential Attachment 1 to this report involves the security of the property of the City of Toronto and its agencies and corporations.
Some critical infrastructure at the City, such as the Toronto Water treatment plants, use Operational Technology (OT) systems called industrial control systems (ICS). ICS systems include supervisory control and data acquisition (SCADA) systems. SCADA systems monitor and control the equipment and devices used in critical infrastructure. The Canadian Cyber Security Centre describes how ICS and […]
Over the past decade, the City of Toronto, like other large organizations, is increasingly conducting business and key operations online and in a networked environment. This makes operations more efficient and citizens are served better. The City stores a vast amount of confidential and sensitive data, such as information about employees and citizens’ personal records. […]
Over the past decade, the City of Toronto, like other large organizations, is increasingly conducting business and key operations online in a networked environment. This makes operations more efficient and citizens are served better. The purpose of this report is to communicate security incidents that occurred at a City division and a City organization and […]
Cyberattacks are widely considered to be one of the most critical operational risks facing organizations. This Phase 1 report includes the results of a review of critical systems in Toronto Fire Services (TFS). This report contains two administrative recommendations. The confidential findings and recommendations from our review are contained in Confidential Attachment 1. Reason for […]
The purpose of this report is to: Communicate to Audit Committee and City Council that the Auditor General has commenced a review of a Toronto Fire Services’ critical system; and Recommend that the Chief Technology Officer continue expediting the Auditor General’s prior cybersecurity-related audit recommendations, so the City is ready to prevent, detect and respond […]
In a December 12, 2019 letter to the Auditor General, the Toronto Police Services Board requested the Auditor General to conduct a cybersecurity audit. Given the size and importance of Toronto Police Service (TPS) and the sensitivity of the information it retains, the Auditor General prioritized the allocation of resources on the request and agreed […]