Toronto

Toronto Zoo is the latest public institution hit by cybersecurity attack. Here's what it means for you

As the list of municipal, health and other public institutions hit by cyber attacks over the past several months grows, cyber security experts say now is a good time to check up on the safety of your personal information.

Cyber security experts say it could be months before full impacts are felt

Exterior shot of the Toronto Zoo welcome sign.
The Toronto Zoo is the victim of a ransomware attack. Cyber security experts say everyone should stay vigilant to future scams. (The Toronto Zoo/Twitter)

As the list of municipal, health and other public institutions hit by cyber attacks over the past several months grows, cyber security experts say now is a good time to check up on the safety of your personal information.

The Toronto Zoo announced Monday it's been hit by a ransomware attack, less than three months after the Toronto Public Library announced it was the victim of a cyber attack.

The zoo says it detected the attack on Jan. 5 and is now investigating "the impact, if any, to our guests, members and donor records."

CBC Toronto asked security experts about what people should keep in mind right now.

What to look out for

David Shipley, CEO of the Canadian company Beauceron Security, says things look relatively low risk in terms of the sensitivity of the zoo's patron data so far, but it could be months before the full impact is seen.

"These types of things are like oil spills, the mess gets made and takes a long time to clean up," he said. "The [patrons and donors] are like the innocent penguins that have got to get scrubbed down… it's not one and done."

A man wearing a black turtleneck and jeans standing in room full of computers
David Shipley, CEO of Beauceron Security, says it could be months before the full impacts of a cybersecurity attack against the Toronto Zoo are known. (Submitted by David Shipley)

The zoo says it doesn't have any credit card information stored on hand, but Shipley warns bad actors may try to use these types of situations to get people to hand over more information.

He says people should be on alert for potential fraudulent phishing emails impersonating the Toronto Zoo. Bad actors may try to get you to click on malicious links to steal your information and misdirect funds, he says.

He also warns that bad actors can piece information about a person together to build a more complete picture, which can then be used for fraud.

His advice is to change your passwords regularly and monitor your credit and banking records to avoid being a victim.

"Be proactive, not reactive," he said.

Claudette McGowan, CEO of the cybersecurity company, Protexxa, says it's "early days" for the zoo's cyber attack and new information about what's been impacted or accessed sometimes only comes to light later. She says zoo members should stay vigilant and look out for updates.

She says vendors who have worked with the zoo in any way should also be on alert.

Attacks on the city could become more serious

Shipley says municipalities and health-care systems are increasingly the target of attacks, and that disruption to our technological systems can be deadly.

If water treatment or wastewater or other critical emergency services like 911 were hit, he says Toronto could be in a very bad situation.

Shipley says no Canadian municipality is ready for a major attack of that nature, but the city is better resourced to handle cyber attacks than most, with a robust police force and the Office of the Chief Information Security Officer (CISO), which was created in 2019, trying to tackle cyber security threats.

The zoo confirmed it's working with CISO and the Toronto police to respond to the attack.

"Municipalities have a treasure trove of information as we know, and if we don't do our job protecting it, people's information and our ability to deliver services is at risk," said Toronto city manager Paul Johnson.

paul
Toronto's city manager Paul Johnson says the city must invest in cyber security efforts because municipalities have so much personal information. (City of Toronto)

Johnson says the city is trying to bring more of its boards, commissions and agencies under the city's cyber security umbrella, rather than having them operate independently in this area.

CISO has been working with the city's technology services division to "set standards for technology and cyber best practices and ensure compliance across all city divisions," according to city spokesperson Russell Baker.

The city has not said if the attack on the zoo and the Toronto Public Library are related. 

Municipalities 'being clobbered': cyber security expert

McGowan says people should ask questions about whether governments and organizations conduct cyber security drills and how their information is protected. Doing so, she says, will push organizations to do more to protect information.

Claudette
Claudette McGowan, CEO of the cybersecurity company, Protexxa, says everyone should care about this cyber threat to the zoo. (Submitted by Claudette McGowan)

"I am certainly an advocate for speaking up more," she said.

Shipley says the city and its entities like the zoo are doing a good job by being transparent about attacks and by not storing credit card information itself, but agrees there is more work to do.

The city says it spent approximately $38 million on cyber security in 2023, but Shipley believes it deserves more funding given threats are increasing.

"Municipal government is the government you interact with the most, that sometimes has some of your most sensitive information financially, or whatnot," Shipley said. "And they are just actually being clobbered."

He says voters showing they care will make cyber security a priority for governments. 

"Until we all exercise our agency on that side, we're going to hear about these stories more and more, and we're going to see more and more impactful breaches that have consequences for all of us," he said.

ABOUT THE AUTHOR

Clara Pasieka is a CBC journalist in Toronto. She has also worked in CBC's national bureau and as a reporter in the Northwest Territories, Ontario and New Brunswick. Her investigative work following the Nova Scotia Mass Shooting was a finalist for a CAJ Award. She holds a Masters degree in Public Policy, Law and Public Administration from York University.