Cyber Incident Victim: Toronto Public Library
Date:
Oct 2023
Location:
Canada
Summary
The Toronto Public Library experienced a ransomware attack disrupting public computers, printing services, online accounts, digital collections, and its website, though physical branches remained open with operational Wi-Fi, material borrowing, and select digital services including OverDrive, Hoopla, Kanopy, and archived content. The organization engaged third-party cybersecurity experts and law enforcement, confirming no evidence of compromised staff or customer data, while anticipating full system restoration would require over a week with some services returning earlier.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 28, 2023, the Toronto Public Library (TPL) detected a cybersecurity incident that disrupted multiple services across its 100 branches. The attack rendered publicly accessible computers and printing services inoperable at all locations. Digital collections, online user accounts, and the primary tpl.ca website became inaccessible, preventing patrons from managing accounts or accessing digital lending materials. Physical branch operations continued unaffected, with materials available for borrowing and returns. Free Wi-Fi remained operational, alongside several online platforms including Kanopy for streaming films, the Digital Archive, TPL Kids resources, YouTube-hosted library programs, Crowdcast event streams, and podcast services. TPL issued an initial statement confirming the implementation of pre-established mitigation measures and engagement of third-party cybersecurity experts to contain the incident. The library stated no evidence indicated compromise of staff or customer personal information. Early recovery estimates projected several days for full system restoration.
By November 8, 2023, TPL confirmed the incident as a ransomware attack, extending the anticipated recovery timeline to at least one week. Continued service disruptions included tpl:map passes, digital collections, public computers, printing services, and account management functions. Branches maintained standard operating hours with functional telephone lines and Wi-Fi. OverDrive, Hoopla, BiblioBoard, Pressreader, and 14 other specified digital platforms remained accessible to patrons. TPL engaged law enforcement alongside cybersecurity specialists and reiterated no evidence of data exfiltration or compromise. The library established a dedicated communication channel through social media (X, Facebook, Instagram) and its maintenance blog, providing service availability updates and FAQs for patrons. Restoration efforts prioritized incremental service reactivation, with partial functionality expected before full system recovery. TPL acknowledged the global significance of the disruption, noting its status as Canada’s largest public library and the world’s largest lending library system. Operational continuity measures ensured core lending services persisted throughout the incident response period.