Personal information belonging to 25K current and former TTC employees may have been stolen during ransomware attack

Personal information belonging to up to 25,000 of the TTC’s current and former employees may have been stolen during the course of a ransomware attack that wreaked havoc on a number of internal and external systems last week.

The TTC said in a statement issued on Monday afternoon that the compromised data includes the names, addresses and Social Insurance Numbers of up to 25,000 employees “past and present.”

The TTC said that while there is “no evidence at this time” that any of the information has been “misused” it is still contacting affected employees and will offer them three years of credit protection at no cost.

The transit commission said that it also still investigating whether data belonging to “a small number of customers and vendors” may have been affected by the breach.

“On behalf of the entire organization, I want to express my deep regret that this has occurred to everyone who may be impacted,” TTC CEO Rick Leary said in a statement. “It is not lost on me that organizations like ours are entrusted with significant amounts of personal information and it is essential that we do our best to protect it.”

The ransomware attack was first detected on Oct. 28, though the full impact of the breach wasn’t clear until the following day.

In his statement, Leary said that the hackers appear to “belong to an extremely well-organized enterprise” though he did not provide any information about how they may have gained access to the TTC’s networks.

He also refused to reveal whether the TTC paid any ransom to restore its service during a subsequent interview with CP24 on Monday afternoon, only saying that additional information would be forthcoming.

“This is an ongoing investigation and there a lot of forensics continuing and we will be transparent,” he promised. “There'll be more information as we find out that information.”

Leary said that ransomware attack resulted in “a number of the TTC’s servers being encrypted and locked,” which in turn knocked down the Vision System used to communicate with vehicle operators as well as a slate of other online systems, including the Wheel-Trans booking portal and the next vehicle information system.

While most customer-facing systems were restored within four days, the TTC’s internal email system remains offline.

The TTC has set up a website for current and former employees to access information about the breach.

It has also said that letters will be sent to those affected “shortly.”

In a communication sent to members on Monday, the TTC’s largest union said that it is “extremely concerned” about the apparent breach.

“We expect the TTC to treat this issue with the severity it deserves and keep our union leadership and members updated,” Amalgamated Transit Union Local 113 President Carlos Santos said. “ATU Local 113 calls on the TTC to take all necessary steps to monitor, protect and retrieve personal employee information and other sensitive data that may have been compromised in this breach.”