On October 29, the TTC was the victim of a cybersecurity incident that impacted a number of its customer and internal services. This incident did not cause significant service disruption. However, the TTC did lose some of our operator and customer-facing features that are now back online.
The TTC has been working closely with leading cybersecurity experts to investigate and restore its systems. This was a sophisticated incident, similar to hundreds reported in Canada in the last year.
Based on the investigation so far, it appears likely that personal information of approximately 25,000 current and former employees and pensioners may have been stolen. This information may include names, addresses and Social Insurance Numbers (SINs). We continue to investigate whether a small number of customers and vendors may also be impacted.
Impacted employees will be notified directly by letter. As the investigation continues, we will reach out to additional individuals who may be affected to offer assistance as appropriate.
The below Frequently Asked Questions provide more information and supports. We will continue to update our website as more details become available.
Frequently Asked Questions
- What happened?
The TTC has been investigating a cybersecurity incident that took place on Friday, October 29. In addition to conducting a thorough investigation, our team has been working diligently to restore our systems safely and we have added additional protections to prevent a similar incident. There continues to be no impact to TTC service.
- What is a cybersecurity incident?
A cybersecurity incident involves a compromise of an organization’s systems or data by an unauthorized third party.
- What systems were affected and what has been restored?
At this time, internal TTC email service continues to remain offline. If you’re a TTC customer and have attempted to send us an email since Friday, October 29, please continue to reach out to customer service at 416-393-3030 or tweet us at @TTChelps.
The following impacted services and systems have been restored:
- TTC’s Vision system, used to communicate with vehicle operators
- Next vehicle information on platform screens, through trip planning apps and on the TTC website
- Online Wheel-Trans bookings
- When will the remaining systems be restored?
Our teams are working around the clock to safely restore all systems. We are still investigating the incident and will communicate with our employees and the public when we have more information.
- What information was accessed during the cyber incident?
Based on the investigation so far, information of some of our employees, former employees and pensioners may have been stolen. This information may have included names, addresses and Social Insurance Numbers (SINs) of up to 25,000 current and former employees.
We continue to investigate whether a small number of customers and vendors may also be affected and we will notify when we have further information.
It is very important to note that, at this time, there is no evidence that any of the personal information that was potentially stolen has been misused.
- Was any other employee information stolen?
Our investigation so far indicates that the information affected may have included names, addresses and Social Insurance Numbers.
- What will you be doing to protect people whose data was affected?
We are notifying employees and individuals who may have been affected and providing credit monitoring and identify theft protection to them as appropriate.
Notification letters will go out shortly but in the meantime employees, former employees and pensioners can call a dedicated employee hotline at 416-362-7547 through Employee Service Centre. The Centre is open from 7 a.m. to 5 p.m., Monday to Friday.
For information on how to set up credit monitoring, employees can ask their manager or supervisor about the best way to contact TransUnion.
We will also continue to update this website as more information becomes available.
- Why did this incident occur and what is the TTC doing to fix it?
Like many organizations around the world, we work extremely hard to plan and prepare for situations like this; however, the fact remains that these types of incidents are becoming increasingly sophisticated. Last week the TTC took additional measures to secure organizational information. The intent is to stay one step ahead of cyber-criminals. Cyber-criminals are also always developing new techniques and it is therefore impossible for any organization to be completely immune from cyberattacks, despite having robust cybersecurity measures in place.
We take matters of safety and security very seriously. In the days and weeks ahead, we will continue our investigation to determine how this incident happened and what we can do to further protect ourselves from similar incidents in the future.
- How many people are affected?
Based on the investigation so far, up to 25,000 individuals may have been affected.
- What cybersecurity measures does the TTC have in place?
The TTC has a robust security program in place and we test our systems and evaluate the technology platforms we use regularly. We also provide regular cybersecurity training to our employees.
These types of cyber incidents are unfortunate and can be disruptive, but this incident also highlights the importance of preparedness which allowed our team to respond quickly to manage and mitigate the incident and to get our public facing systems up and running safely and quickly.
Statement from TTC CEO Rick Leary on November 8, 2021
As we announced on Friday, October 29, the TTC was recently the victim of a sophisticated cyber security incident that impacted a number of internal and customer-facing functions.
Today I am providing an update on that incident.
Let me remind everyone that protecting the health and safety of our customers and employees is our top concern and this incident did not compromise that.
As I’m sure everyone can appreciate, these incidents are intricate in nature and require complex solutions.
Over the past week, we have been working day and night to resolve this situation – to get our lost services back online and to gain a clearer understanding as to the breadth of the incident.
The incident resulted in a number of the TTC’s servers being encrypted and locked, resulting in the loss of our VISION system, vehicle arrival information, and online Wheel-Trans booking systems, as well as external network connectivity, including e-mail.
Based on what we know at this point, the culprits were able to gain access to TTC files that may contain personal information of approximately 25,000 employees, past and present. We continue to investigate whether any customer or vendor information was compromised.
There’s no evidence at this time that any of this information has been misused.
Again, while we do not have evidence that any of this information has been misused, we are taking steps to ensure those who may be impacted are protected from things like identity theft. We are doing this by offering three years of credit protection through TransUnion.
This is being done both out of an abundance of caution and because it’s the right thing to do. In the coming days we will be reaching out to these potentially affected individuals to advise them of next steps.
What we know about the threat actors in this case is that they belong to an extremely well-organized enterprise.
On behalf of the entire organization, I want to express my deep regret that this has occurred to everyone who may be impacted.
It is not lost on me that organizations like ours are entrusted with significant amounts of personal information and it is essential that we do our best to protect it.
The fact that in the past year there have been nearly 700 similar cyber security incidents involving public and private sector organizations in Canada is indicative of just how pervasive they really are.
I want everyone to be assured the TTC continues to follow best practices in securing our IT infrastructure.
I believe it is also important for the reputation of the TTC to be honest and open with our employees, customers and stakeholders. That’s why we continue to share what we know and how we have responded to this incident as soon as we are able.
As I told our Board last week, we are fully committed to learning from this incident.
Additionally, we are in the process of notifying everyone we believe may have been impacted, including employees, former employees and pensioners about how they can participate in the program to protect their identity.
Over the coming weeks we will continue rebuilding the remaining impacted servers and internal services, like re-establishing external e-mail capabilities. But in truth, and based on the experiences of other organizations, this could take some time.
These are certainly challenging times for this organization as we work tirelessly to restore all functions to their previous state. But I am fortunate to be surrounded by 16,000 talented employees who I know will get us there as quickly as possible.
I again want to thank all of our employees for their dedication and hard work, and our customers for their patience and understanding.
Last updated: November 10, 2021