Cyberattacks are widely considered to be one of the most critical operational risks facing organizations. According to the Canadian Centre for Cyber Security Bulletin, 2021:
“2021 has been marred by a series of high-profile ransomware attacks around the world… In the first half of 2021, global ransomware attacks increased by 151% when compared with the first half of 2020. This year has also been marked by the highest ransoms and the highest payouts. In Canada, the estimated average cost of a data breach, a compromise that includes but is not limited to ransomware, is $6.35M CAD. The Cyber Centre has knowledge of 235 ransomware incidents against Canadian victims from 1 January to 16 November 2021. More than half of these victims were critical infrastructure providers.”
Cybersecurity threats to the City are real. Cyber attackers recently attacked Toronto Transit Commission’s (TTC) IT infrastructure. The attack affected several critical services, including Vision (a critical application used to communicate with vehicle operators), Wheel-Trans (a critical reservation application), and TTC’s internal email service. The personal information of 25,000 current and former TTC employees may also have been stolen during the attack.
The Auditor General has been proactive in her audits of cybersecurity at the City and has completed several vulnerability assessments and penetration testing of critical systems at the City, including an overall assessment of the City’s IT infrastructure, Toronto Water SCADA system, Fire Services critical system and Toronto Police IT infrastructure. Cybersecurity reviews are now expanding to include agencies and corporations.
The Auditor General initiated a cybersecurity audit of the TTC in accordance with her 2021 Work Plan. The planning for this audit was underway when the TTC became a victim of a ransomware attack on October 29, 2021. However, the Auditor General’s testing team had already gathered some information about the TTC’s IT systems and infrastructure, and she was able to continue with her work. The phase 1 report contains the results of this part of her assessment, so that management can address the vulnerabilities found in a timely manner.
This report includes the results of our review of critical IT assets and processes used to manage IT system users at TTC. We will provide future reports after completing the next series of audits, which were temporarily suspended so that TTC could focus on restoring services and systems affected by the October 2021 cyber attack.
This report contains three administrative recommendations. The confidential findings and recommendations from our audit are contained in Confidential Attachment 1.
Confidential Attachment 1 to this report involves the security of the property of the City of Toronto or one of its agencies and corporations.