More people at risk as Ontario public bodies face growing wave of cyberattacks, experts say
From public hospitals and the LCBO to the Toronto Public Library, 2023 saw government organizations across Ontario hit by a growing wave of separate cybersecurity incidents that took down or impacted some of their services.
Experts say that that wave is putting a greater number of individuals at risk. One particularly concerning emerging trend, according to Information and Privacy Commissioner Patricia Kosseim, is cyberattacks against municipalities, universities, school boards and hospitals.
“Cyberthieves have gotten onto the fact that these are large scale institutions that house huge volumes of very sensitive personal information,” Kosseim told CBC Toronto — including personal health data.
“They know that these are institutions that provide essential services and that their operations are critical for society in order to operate,” she said.
“They thrive on that.”
Last January, the LCBO had “malicious code” embedded on their website that compromised customer data, leading some to monitor their transactions for suspicious activity. In the fall, Toronto Public Library was hit by a cyberattack that saw data from current and past employees stolen, with the attack itself taking down many online and in-person services until January. In November, patient data was stolen from several Ontario hospitals and published on the dark web, leaving the hospital facing a multimillion-dollar lawsuit.
As worrying as it is, experts say the trend in Canada and around the world suggests more of these attacks are on their way in 2024.
Derek Manky, chief security strategist and global vice president of threat intelligence of cybersecurity firm Fortinet, points to the firm’s latest research that suggests cybercriminals have largely exhausted phishing and other lower-level attempts at breaching an organization’s security, and are becoming more aggressive in their targets.
In the next year, Fortinet predicts criminals will turn toward artificial intelligence to help refine their tactics, recruit insiders from organizations to help breach defences, and take advantage of large geopolitical events like elections and the 2024 Paris Olympic Games.
“We’re really dealing with true cybercriminal enterprise,” said Manky, meaning it’s never been more important to learn how to properly fight back.
Health institutions are a growing focus
This year also saw attacks targeting health institutions, including SickKids in January, University Health Network’s Michener Institute of Education in May, and several hospitals in southwestern Ontario in October.
In the case of the hospitals, a database containing information on 5.6 million patient visits to one hospital and the social insurance numbers of over 1,000 health-care employees were among the data taken in the ransomware attack. Affected patient data had “varied amounts and sensitivity,” and some data was published by the hackers online.
It’s the result of both random targeting and strategic planning of hackers, according to Anne Genge, a cybersecurity expert who specializes in health-care sectors.
“They’re getting much better at their jobs,” she said.
“Cyber criminals know there’s not enough training being done, there’s not enough budget — especially [in] health care,” said Genge, adding that health care is also “where we have some of the most sensitive information about people.”
Because health-care providers are mandated to report data breaches, Kosseim says the information and privacy office can track the increase in attacks.
The office logged 62 cyberattacks in the first three-quarters of the year alone — a big leap from 2022, she says, when her office reported 23 cyberattacks total.
The attacks against health institutions tend to involve ransomware more often, Kosseim says, which can be concerning given the institutions have limited funding with which to safeguard sensitive data.
“The size of ransom that is being demanded is higher and we know that the payouts are also higher as more and more organizations succumb to these threats,” she said.
Secure your data
At Ernst and Young, the multinational professional services company where Yogen Appalraju is cybersecurity lead, he says, “We always say, ‘it’s not a matter of if, but when someone experiences an incident.'”
Appalraju is among the experts who say if companies and organizations don’t rise to meet the increasing, and increasing severity, of the attacks then things will likely get worse.
It’s important companies beef up training, security measures, and the resources they put into cyber security, including preparing for an attack, Appalraju said.
“Plan ahead of time about how you would react and the actions you would take immediately after you understand that there’s a potential breach,” he said.
At an individual level, Appalraju says, it’s important people “continue being vigilant” and change their passwords frequently, especially if they use the same password for multiple different accounts.