Toronto

Toronto needs to beef up cybersecurity to avoid 'devastating' data breach: auditor general

With cyber threats evolving, there is an urgent need for the city to beef up its cybersecurity program to "adapt to new threats," says Toronto's auditor general.

City houses 4,700 terabytes of data, needs to 'strengthen' security controls

Toronto's auditor general is pushing the city to beef up cybersecurity to avoid a 'devastating' data breach. Right now, around 4,700 terabytes worth of public data are housed in various city systems and computers. (Evan Mitsui/CBC)

Toronto's auditor general is pushing the city to beef up cybersecurity to avoid a "devastating" data breach.

In a report heading to council's audit committee on Friday, Beverly Romeo-Beehler says the city needs to "strengthen" information technology and security controls, adding little has been done since she brought forward similar concerns three years ago.

Right now, around 4,700 terabytes worth of public data are housed in various systems and computers at the city, her report notes.

"A single breach could have a devastating impact," Romeo-Beehler writes.

Cybersecurity breaches — like ransomware or phishing attempts, where high-level employees are impersonated — have made headlines recently in other Canadian municipalities. 

Just this year, city staff in Saskatoon sent more than $1 million to a person who was using an email address to impersonate the chief financial officer for a construction company city officials were working with.

The city of Ottawa's treasurer wound up in a similar situation and unknowingly transferred more than $100,000 to fraudsters after someone used a fake email account to impersonate the city manager, while Burlington officials fell victim to a "complex" $500,000 phishing scheme.

Cybersecurity expert Kevvie Fowler, the global incident response leader for Deloitte, said municipalities often have a lot of assets that are desirable to hackers, including personal information like residents' financial data, mortgage information, birth and death records, and social insurance numbers.

"It definitely makes them a target from a cybercrime standpoint," he added.

Cybersecurity a 'constant' concern, mayor says

Fowler said all cities, Toronto included, should ensure their systems have "basic hygiene" in place.

That can mean cyber awareness training for workers, or putting response plans in place in case there's a breach.

In a report heading to council's audit committee on Friday, auditor general Beverly Romeo-Beehler says the city needs to 'strengthen' information technology and security controls. (Twitter)

Alongside her new report, Romeo-Beehler provided a series of confidential recommendations to city officials, aimed at making changes to both the technical and culture side, along with looking at human behaviour when it comes to cybersecurity threats. 

She noted that none of her previous recommendations from 2016, which included vulnerability assessment and penetration testing, have been fully implemented.

Mayor John Tory, speaking to reporters last week, stressed that the city is making an effort.

"This is a constant topic of concern to us, that we are working hard to ensure the data and systems maintained by the city are secure," he said.

"If there's more to be done, it will be done. Because we can't afford to have people out there thinking the information that they share with us is at risk."

About the Author

Lauren Pelley

City Hall reporter

Lauren Pelley is a CBC reporter in Toronto covering city hall and municipal affairs. Contact her at: lauren.pelley@cbc.ca

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.