Cyber Incident Victim: Toronto Transit Commission

The Toronto Transit Commission (TTC) experienced a ransomware attack beginning on or before October 29, 2021. IT staff initially detected unusual network activity, prompting an investigation. The attack escalated by midday on October 29 when hackers expanded their compromise to network servers. This disruption affected multiple operational systems but did not cause significant service interruptions or pose safety risks to employees or customers. The TTC publicly confirmed the ransomware incident in a statement released on Friday, October 29, though the responsible threat actor remained unidentified.

Impacted systems included the Vision communication system used by operators to coordinate with Transit Control, disabling critical operational communications. Real-time next vehicle information became unavailable on platform screens, trip-planning applications, and the TTC website. Online Wheel-Trans booking services were also disrupted. The TTC engaged law enforcement and cybersecurity experts to investigate the attack’s full scope while collaborating with the City of Toronto’s IT department. Email systems were crippled, forcing conductors to rely on radio communications. Despite functional transit services, the attack represented the third ransomware incident targeting a major Canadian metro system within a year, following previous attacks on Montreal and Vancouver’s transit networks in late 2020. Recovery efforts focused on restoring affected digital services while maintaining minimal physical transit disruptions throughout the incident response period.