Rule #1 of Breach Response: Regain Trust by Working Backwards from the Worst Case Scenario

As part of a rapid fire succession of TV interviews earlier this week, I had the opportunity to read a 12-page report prepared for the board of directors of the Toronto Public Library following the security breach that devastated IT operations, affected more than 100 branches, compromised the personal information of employees going back to the previous millennium and shattered the preconception that the organization’s security infrastructure was at any level of maturity prior to the surprise attack.

Leaning heavily into the narrative that a low level of preparedness is inherent, if not endemic, to public sector organizations, the report takes pains to explain that a deterioration of social norms is the evidence pointing to a trend towards the moral degeneracy that fuels attacks on socially important elements, such as libraries and other places of cultural importance. Although the report stops short of implying that security is tedious or unnecessary, it strongly hints at the suggestion that were it not for the aforementioned negative trends, the organization’s previously lackadaisical approach to security would have continued to be sufficient to enable its operations.

Alas, the necessary evil of data protection safeguards, with all those preventative measures, constant need for monitoring and detection, capacity for rapid intervention and all the tedium that goes along with the care and feeding of this entire aspect of modern operations would ostensibly be superfluous, were it not for the forces of evil that are now a fixture of society.

That kind of rhetoric might be acceptable if it was purely intended as a soporific for the consumption of a non-IT savvy board of directors, but when the news media buy the narrative and reprint it without a shred of critical interest, it tends to do the public the grave disservice of desensitizing the reader to what is a catastrophic event with far-reaching consequences. And what’s worse, it invites the risk of minimizing, trivializing and normalizing the high-impact losses incurred by victims whose irreplaceable identity data was stolen as a result of a culture that assumed that security might be a necessary evil, but not worth seriously engaging with just yet.

A summary perusal of the report betrays the existence of serious deficiencies for an organization of its calibre:

1. Potentially no incident response plan in place: The initial response was to shut everything down, internal and external, with the risk of losing opportunities for properly investigating and conducting a forensic analysis.
2. Potentially no cyber policy in place: It appears that there was no cyber insurance mechanism in place to immediately get activated, rather than to “collaborate with cyber experts (presumably professionally accredited) through 3rd party legal counsel”
3. Indication of significant losses in systems and information based on the need for “rebuilding the technical environment”
4. There is no indication of proactive preparation despite the claim: “TPL has proactively prepared for cybersecurity issues by prioritizing cybersecurity since January 2021”. Further, no mention is made of privacy compliance or the protection of personal information. and none of the 7 measures listed were evident in the catastrophic outcome.
5. The “Privacy Breach Protocol” is mentioned without any explanation at all, however, despite a privacy breach impacting very sensitive identity data of staff going back to the past millennium (1998), employees were only provided with credit monitoring for 2 years which was positioned as “complimentary” even though the families of staff members were also affected.
6. There is no indication of adequate Business Continuity Planning (BCP) nor Disaster Recovery (DR) in place based on: “The full-scale shutdown of TPL’s technical environment, and the ensuing work to secure the IT network and its many systems, resulted in the suspension of any core library services including the tpl.ca website and access to the library catalogue, holds, and Your Account services; public computing and printing; and access to some digital materials and databases.

Critically, there is little indication that the attack was well understood, infection contained nor even that similar attacks would be preventable in the future. There is apparently no plan for cyberinsurance coverage going forward. In effect, language such as “attackers breached a vulnerability” is clearly not vetted by security professionals. The assumption is that most if not all valuable data was compromised, despite the rush to shut down all systems. No indication is made of how the breach was discovered.

Click here to view the full report

This article originally appeared on ClaudiuPopa.ca.