Cybersecurity Incident
Final notification
Since we first discovered the cyberattack on our systems in late October 2023, we have done extensive data forensics to determine the scope of the data breach and to notify those affected. We have now completed this investigation and are providing our final notification to those who may have had some data exposed. We have embraced transparency throughout our response and have elected to inform the final group of affected individuals through this general, public notification.
Affected individuals
Approximately 4,100 TPL cardholders, donors and unsuccessful job applicants who had dealings with the library between 2010 and 2023 may have been impacted by the data breach resulting from the cybersecurity attack.
Data elements related to individuals in this group include one or more of the following: contact information (street address, e-mail address, phone number), date of birth, library card number, school information and physical descriptions and/or photo images (in incident reports). The exposed information also identifies some individuals as having filed a complaint, submitted an access request or made a donation to special collections.
TPL has reported this matter to the Office of the Information and Privacy Commissioner of Ontario (the IPC) and an investigation file has been opened. The IPC has advised that it is not necessary for you to file a complaint as they are already investigating the matter. You can visit the IPC’s website at https://www.ipc.on.ca/en.
Next step
If you are concerned that your data may have been breached, please email cyberincident.support@tpl.ca.
Prior notification
We announced a privacy breach on November 15, 2023, indicating that personal data was stolen from a compromised file server. TPL advised that it believed current and former staff employed by TPL and the Toronto Public Library Foundation (TPLF) from 1998 were impacted, provided information about the data exposed, and offered credit monitoring given the nature of the exposed information.
Cardholder, volunteer and donor databases were not affected. However, some data about these groups resided on the file server. TPL began data analysis last November, a time-consuming process that involved working with an outside vendor and significant internal data analysis. Based on this work, TPL was able to directly notify dependents and family members of employees in March 2024 and a group of affected cardholders and other individuals in July and again in November.
Additional information
While navigating this cyber incident has undoubtedly been a challenging experience, it has provided TPL with invaluable lessons that will strengthen us for the future. We have learned from this adversity and have taken concrete steps to improve our systems, safeguard our data and fortify our defences. As we conclude our response with this notification, we would also like to express our heartfelt gratitude to our employees and our community members for their patience, understanding and ongoing support as we worked through this challenge together.
Comments