Breaking News: Toronto Public Library Succumbs to Devastating Ransomware Attack, Exposing Shocking Data Breach

The Toronto Public Library Confirms Data Breach in Ransomware Attack

IT Services confirmed that personal information belonging to employees, customers, volunteers, and donors was stolen during a ransomware attack in October. The attack targeted a file server, compromising data from the Toronto Public Library (TPL) and the Toronto Public Library Foundation (TPLF) dating back to 1998.

Included in the stolen information were names, social insurance numbers, dates of birth, and home addresses of the affected individuals. Additionally, copies of government-issued identification documents provided by TPL staff were likely taken as well, according to the library’s incident report update.

Although the cardholder and donor databases remain unaffected, some customer, volunteer, and donor data stored on the compromised file server may have been exposed.

The extent of the data breach, including the specific customer data stolen and the number of affected customers, has not been disclosed by the library.

The library has chosen not to pay a ransom and is collaborating with external cybersecurity experts to investigate the incident. It has also reported the breach to Ontario’s Information and Privacy Commissioner and filed a report with the Toronto Police.

As Canada’s largest public library system, IT Services operates on a budget exceeding $200 million, serves a membership base of 1,200,000 registered individuals, and provides access to 12 million books across 100 branch libraries throughout the city.

Black Basta Ransomware Attack

While the library has not officially attributed the attack to a specific ransomware operation, it has been discovered that the Black Basta ransomware gang was behind the October 28 attack. This conclusion was drawn after a photo of a ransom note shown on a TPL workstation was examined by IT Services.

According to an employee of IT Services, the attack occurred overnight on October 27, resulting in the disruption of several services by Saturday morning.

Fortunately, the attack had minimal impact on TPL’s email services and did not affect the library’s phone system. Employees who were logged into their Office 365 accounts could still access their emails, while those who were logged out experienced difficulty accessing their email accounts.

Interestingly, the library’s primary servers housing sensitive data were not encrypted, suggesting that the Black Basta operators may not have had complete access to the library’s networks and data.

As a precautionary measure to prevent the malware from spreading, all other internal systems were shut down by IT Services following the detection of the attack.

Black Basta emerged as a Ransomware-as-a-Service (RaaS) operation in April 2022, specializing in double-extortion attacks against various corporate entities.

Following the discontinuation of the Conti ransomware gang in June 2022 after a series of embarrassing data breaches, the cybercrime syndicate fragmented into smaller factions. Black Basta is believed to be one of these factions.

In March, the Department of Health and Human Services security team stated that “the threat group’s rapid targeting of at least 20 victims during its initial two weeks of operation indicates their experience in ransomware and a reliable source of initial access.”

Furthermore, the Department of Health and Human Services security team suspects that Black Basta may be a rebrand of the Russian-speaking RaaS threat group Conti or have connections to other Russian-speaking cyber threat groups.

Additionally, Black Basta has been associated with the financially motivated cybercrime group FIN7.

Since its emergence, the Russian-speaking ransomware gang has successfully breached and extorted numerous high-profile victims, including the American Dental Association, Sobeys, Knauf, Yellow Pages Canada, UK outsourcing company Capita, the Rheinmetall German defense contractor, and most recently, U.S. government contractor ABB.