The City of Toronto exposed developer Tridel’s banking information to the public, city officials have confirmed.
Tridel discovered its financial information was posted on a city web page, and alerted city officials of the incident in April, City of Toronto Media Relations Manager Russell Baker told CTV News.
“The City immediately removed the information and an internal investigation is underway,” Baker said.
Michael Mestyan, Tridel’s vice-president of development planning, said the company’s account information for transferring funds to the city was posted to the public.
The duration this data was exposed is unknown, Mestyan said. “We cancelled the account immediately and are currently not aware of any issues that stemmed from the incident.”
Data breaches have recently plagued institutions in Toronto. Just a day earlier, the Toronto District School Board launched an investigation into a suspected cyberattack. This came on the heels of the public library’s paralyzing, months-long cyberattack, followed by hackers targeting the Toronto Zoo.
However, this breach is different, CTV Technology Analyst Carmi Levy said.
“What separates this case is that this wasn’t a criminal act. This was a negligent act. And it was an accidental exposure by the City of Toronto,” Levy said, pointing out the fact that data was posted on the city’s website, rather than on the dark web where criminal hackers sell stolen data.
“This is about as nightmarish a scenario as you can imagine because something like this should never happen,” he said.
The first failure was that private data was posted to the public, highlighting a “very significant weakness” in the city’s management of information posted online.
“Failure number two was the information was out there and the city was blindly unaware of it until the victim of this error notified them that it was out there,” Levy said.
Given that an investigation is underway, Levy acknowledged his interpretation could differ from the findings, but that his initial observation was that this was not an attack – it was a mistake.
While information on how a data breach of this nature could happen remains sparse, cybersecurity expert Terry Cutler said it sounds like an inside job.
“When federal criminals get access to a financial database with banking information, they would usually leak the whole thing,” Cutler said. Typically, hackers expose data on the dark web or extort the company that’s been breached.
“They just want money,” he said. “Once that data is out there, scammers can start doing financial fraud against Tridel.”
Speaking to the frequency of public institutions falling victim to cyberattacks, Cutler said it points to the fact that criminals now know these organizations don’t have the money or resources to deal with cyber security.
“It makes them a prime target,” he said.