by As the list of municipal, health and other public institutions hit by cyberattacks grows over the past several months, cyber security experts say now is the time to check the safety of your personal information.
The Toronto Zoo announced Monday that it has been hit by a ransomware attack, less than three months after the Toronto Public Library announced it was the victim of a cyberattack.
The zoo says it discovered the attack on Jan. 5 and is now investigating “the impact, if any, on our guests, members and donor records.”
CBC Toronto asked security experts what people should keep in mind right now.
What to look out for
David Shipley, CEO of Canadian company Beauceron Security, says things look relatively low-risk in terms of the sensitivity of zoo patrons’ data so far, but it could be months before the full impact is seen.
“These types of things are like an oil spill, the mess is made and it takes a long time to clean up,” he said. “The IS [patrons and donors] who are like the innocent penguins who have to be scrubbed down … it’s not one and it’s done.”
David Shipley, CEO of Beauceron Security, says it could be months before the full impact of a cybersecurity attack against the Toronto Zoo is realized. (Submitted by David Shipley)
The zoo says it does not store any credit card information on hand, but Shipley warns that bad actors could try to use these cases to get people to hand over more information.
He says people should be on the lookout for fraudulent phishing emails that may impersonate the Toronto Zoo. Bad actors may try to get you to click on malicious links to steal your information and divert funds, he says.
He also warns that bad actors can piece together information about a person to create a more complete picture, which can then be used for fraud.
His advice is to change your passwords regularly and monitor your credit and banking records so you don’t fall victim.
“Be proactive, not reactive,” he said.
Claudette McGowan, CEO of cyber security company Protexxa, says it is “early days” for a zoo cyber attack and sometimes new information about what is affected or accessed only comes later. She says zoo members should stay alert and keep an eye out for updates.
She says vendors who have worked with the zoo in any way should also be wary.
Attacks on the city could become more serious
Shipley says municipalities and health care systems are increasingly targeted by attacks, and disrupting our technology systems can be fatal.
If water or wastewater treatment or other critical emergency services like 911 were hit, he says Toronto could be in dire straits.
Shipley says no municipality in Canada is prepared for such a major attack, but the city is better equipped to handle cyberattacks than most, with a strong police force and the Office of the Chief Information Security Officer (CISO), which was created in. 2019, trying to tackle cyber security threats.
The zoo confirmed it is working with CISO and Toronto police to respond to the attack.
“Municipalities have a wealth of information as we know, and if we don’t do our job protecting it, people’s information and our ability to deliver services are at risk,” said Toronto city manager Paul Johnson.
Toronto city manager Paul Johnson says the city needs to invest in cyber security efforts because municipalities hold so much personal information. (City of Toronto)
Johnson says the city wants to bring more of its boards, commissions and agencies under the city’s cybersecurity umbrella, rather than having them operate independently in this area.
The CISO is working with the city’s technology services division to “set standards for technology and cyber best practices and ensure compliance across all city departments,” according to city spokesman Russell Baker.
The city has not said if the attack involves the zoo and the Toronto Public Library.
Municipalities ‘undercut’: cyber security expert
McGowan says people should ask questions about whether governments and organizations conduct cyber security drills and how their information is protected. Doing so, she says, will force organizations to do more to protect information.
Claudette McGowan, CEO of cyber security company, Protexxa, says everyone should be concerned about this cyber threat to the zoo. (Submitted by Claudette McGowan)
“I’m definitely an advocate for speaking up more,” she said.
Shipley says the city and its entities like the zoo are doing a good job by being transparent about attacks and by not storing credit card information itself, but agrees there is more work to be done.
The city says it will spend about $38 million on cyber security in 2023, but Shipley believes it deserves more funding since threats are on the rise.
“Municipal government is the government you interact with the most, sometimes with some of the most financially sensitive information, or not,” Shipley said. “And they’re just being really clobbered.”
He says voters who show they care will make cyber security a priority for governments.
“Until we all exercise our agency on that side, we’re going to hear more and more of these stories, and we’re going to see more and more impactful violations that have consequences for all of us, ” he said.
