Cyber Incident Victim: OC Transpo

On or around December 7, 2020, the City of Ottawa publicly disclosed a cybersecurity incident impacting subscribers of its OC Transpo My Alerts system. The city initiated an investigation after detecting unauthorized access to the alert service, which provides transit updates via email. Compromised data included subscribers’ email addresses and associated account passwords stored within the My Alerts system. Officials confirmed the breach did not affect financial data or credit card information, as those details were not collected or stored by the service. The City of Ottawa promptly notified affected subscribers about the incident and advised precautionary measures.

The breach prompted the city to urge all My Alerts users to change their passwords, particularly those who reused identical credentials across multiple online accounts. This recommendation aimed to mitigate potential credential-stuffing attacks leveraging exposed email-password pairs. No operational disruptions to OC Transpo services were reported as a direct result of the incident. The public advisory emphasized the absence of compromised payment systems while reinforcing the importance of password hygiene. Ottawa’s response focused on subscriber notification and preventive guidance rather than disclosing technical specifics about the intrusion vector or attacker identity.