The Toronto Public Library (TPL) is in the final stages of recovering from a ransomware attack on October 28, 2023 that shut down the library’s internal network, website, and public computers. Although TPL managed to keep all of its 100 branches open and host programs throughout the ordeal, patrons were unable to access their library accounts online or use the library’s computers for more than two months. And while TPL has also continued to manually check out print books and other physical materials, the library has been unable to process holds or check the materials back in when they are returned.

“We’ve got 12 53-foot tractor trailers filled with returns—well over a million items,” Toronto’s City Librarian Vickery Bowles told LJ in early January. “Ransomware is becoming so pervasive, and it’s affecting organizations dedicated to community well-being such as hospitals, schools, and libraries, of course. I really feel that public sector organizations are becoming targets.”

According to the “2023 Palo Alto Networks Canada Ransomware Barometer” report, which includes analysis of a survey of IT professionals conducted by Angus Reid Group, 35 percent of Canadian businesses with at least 100 employees were hit by ransomware attacks during the past year. Fifty-eight percent of those businesses needed more than a month to recover from an attack, while 24 percent took longer than four months. The report notes that cyber criminals appear to be targeting manufacturing businesses “significantly more” than other types of Canadian businesses and institutions, but “today’s threat actors do not discriminate against specific industries.” In fact, the British Library was hit with a separate ransomware attack on the same day as TPL last fall, the London Public Library in Ontario was attacked in December, and the Toronto Zoo was attacked earlier this month.

“In the case of public libraries, I think [cyber attacks] are particularly troublesome, because we’re dedicated to equality and access to information and intellectual freedom and openness to all,” Bowles said, adding that this attack has impacted people throughout the community, especially patrons who rely on TPL for access to public computers and other technology. “I think this represents an attack on the very essence of civil society. That's what I think is really troubling about all this—when I hear about the impact this is having on people like students, low-income communities, youth, job seekers, [people] who don’t have any other resources other than what the library can offer. It’s just heartbreaking.”

Ransomware is a form of malware that encrypts files on a computer or an entire network of computers. The cyber criminals who make these attacks then demand a ransom to decrypt the files—often hundreds of thousands or even millions of dollars for larger businesses and institutions. In many cases, ransomware attackers do not attempt to steal an organization’s data, but in this case, personal information on current and former employees of TPL and the TPL Foundation dating back to 1998 was also stolen. TPL has provided credit monitoring services to those impacted by the data breach. Cardholder and donor databases were not impacted.

As law enforcement agencies in Canada and the United States generally advise, TPL did not pay the ransom.

“We didn’t for a number of reasons, not the least of which is just by paying a ransom you’re funding and fostering further criminal activity,” Bowles said. In addition, law enforcement agencies note that there is no guarantee that the criminals will provide the key to unencrypt an institution’s files once the ransom is paid or refrain from attacking a victim again.

Instead, TPL immediately shut down their systems, notified the city of Toronto and its cybersecurity team, the Toronto Police, and the Royal Canadian Mounted Police. TPL also began working with outside legal counsel with expertise in cybersecurity and a separate cybersecurity company to conduct a forensic analysis of the attack.

Since the investigation is still ongoing, Bowles could not disclose any details about how the attack was carried out, but according to the U.S. Department of Justice, three of the most common ways that ransomware attackers infiltrate networks are via email phishing campaigns through which the attackers obtain login credentials to a network, remote desktop protocol vulnerabilities that enable an attacker to remotely gain control of an employee’s computer, and other unpatched software vulnerabilities.

To mitigate ransomware risks, the U.S. Federal Bureau of Investigation recommends the following best practices:

• Regularly back up your organization’s data, system images, and configurations, test the backups, and make sure the backups are not connected to the network.
• Have staff use multifactor authentication to log into their work email and other work accounts.
• Update and patch your systems whenever updates are issued.
• Keep all security solutions up to date.
• Create an incident response plan and test it.

In an end-of-year message to staff and patrons published on December 20, 2023, Bowles noted that since the attack, TPL had managed to loan half a million books and physical materials—all manually checked out by staff—and issue almost 10,000 new library cards to patrons. “In addition to this, the increased borrowing of ebooks, e-audiobooks, and digital magazines has pushed us over 11 million digital checkouts in 2023, surpassing our goal for the year by almost one million,” she wrote. “Torontonians continue to visit us in the branches and online to attend programs. This has been especially important for the city’s children and youth, who have participated in our many after-school programs, and have visited our Youth Hubs, which have remained open throughout.”