This is a follow up to Spacing’s five=part series on the ransomware attack on the Toronto Public Library in the fall of 2023.
Part I: Toronto Public Library ransomware attack: Overview
Part II: Toronto Public Library ransomware attack: Unanswered Questions
Part III: Toronto Public Library ransomware attack: Was TPL adequately prepared to defend itself?
Part IV: Toronto Public Library ransomware attack: Where does the TPL go from here?
Part V: Q+A with Toronto’s chief librarian, Vickery Bowles
The City of Toronto has budgeted $1 million to cover costs incurred by the Toronto Public Library following the October 28, 2023, ransomware attack, according to documents obtained by Spacing through an access to information request.
The total includes $160,000 in legal fees; almost $74,000 for a third-party credit monitoring service provided to employees who had their data stolen; and almost $770,000 for cybersecurity experts, as well as forensics, remediation and restoration outlays. As of March 6 — when the FOI request was processed — only $170,000 had been paid out.
The TPL earlier this year revealed the City of Toronto would be covering the costs of the ransomware attack. While the $1 million figure doesn’t seem large compared to other city budget line items, the sum is equivalent to almost 3% of the entire 2024 budget of the Office of the Chief Information Security Officer, whose 84-person division is responsible for cybersecurity for the entire municipality and a number of its agencies, boards and commissions.
(During the 2024 budget cycle, the CISO saw its projected gross spending slashed by $8.7 million, or 12.5%, compared to 2023, with reductions attributed to savings on external consultants and the deferral of $4.5 million on spending on cyber initiatives attributed in budget documents to “evolving business requirements arising from the changing priorities in the cyber industry.” City officials declined to clarify the meaning of this statement.)
None of the ransomware budget figures have been made public previously. TPL chief librarian Vickery Bowles told Spacing in an interview earlier this month that she didn’t know the amounts, but noted that every one of the TPL’s 5,000 computers had to be wiped.
Spacing asked for information on the expenses incurred to restore the TPL’s system, and how those outlays were allocated. The City’s Access and Privacy Office withheld documents covered by solicitor-client privilege, as well as information “whose disclosure could reasonably be expected to be injurious to the financial interests of an institution.”
The total doesn’t appear to include the capital costs of replacing hardware, such as infected servers or laptops, nor is it clear how much the City will pay for ongoing 24/7 monitoring of the TPL’s networks, one of the security fixes announced in the wake of the attack.
The document also doesn’t specify how much either the City or the TPL will be paying to migrate and store some of its data in secure commercial cloud-based servers — a detail that likely would be considered too sensitive to make public. Bowles told Spacing that the initial breach came through one of the TPL’s internet-facing servers.
In a wide-ranging interview about Toronto’s cyber-security readiness, city manager Paul Johnson said the municipality has improved its preparedness in recent years in response to rising threat levels generally and stern warnings from the previous auditor-general. “We are nowhere near [being] able to say we’re impervious to those attacks, but we are certainly better off than we were a number of years ago,” he stated. “We’ve gone through some painful examples of a state of not being ready.” He also said the City should publicly disclose the overall amount that will be spent to clean up after the TPL ransomware attack. “This is public money and we need to account for public money.”
In the wake of attacks on the Zoo, the TTC and the TPL, as well as the City of Hamilton, Johnson explained that the City is working to bring Toronto’s numerous agencies, boards and corporations under a more centralized cyber-security monitoring system, using resources that might not be available to all those organizations. “We need to bring them deeper into the fold and really have the City of Toronto providing more of that leadership role.”
Johnson contended that members of council understand the importance of cybersecurity and have come to regard it as part of the City’s state-of-good-repair responsibilities. But he acknowledged that the City could do “a better job of communicating” the importance of the kinds of investments that residents will never actually see, and whose benefits are by definition indirect, i.e., the pay-off is when nothing bad has occurred in terms of the provision of municipal services.
The balancing act, he noted, is that cyber-security officials can’t over-communicate because to do so would be to tip-off criminal gangs like the one that took the TPL’s data hostage. “There’s a reason why we don’t share all of our plans for cybersecurity,” Johnson said. “However, I think there’s a point at which we can generalize both what we’ve done to improve our security, like, does the general taxpaying Torontonian know that we monitor 24/7?”
Finally, Johnson pointed out that these latest attacks have served as a kind of wake-up call for city employees. “As painful as these moments are, the reality is they do jolt people. You don’t want to be the person that opened the door to having certain programs shut down for a number of months while we recover. But you know, with 43,000 employees and with all of the entry points, it’s a never-ending battle.”