Full Report
The organization also lost years of wildlife conservation research as a result of the January 2024 cyber incident.
Analysis Summary
# Incident Report: Toronto Zoo Data Breach and Ransomware Attack
## Executive Summary
In an incident occurring sometime prior to January 2024, the Toronto Zoo suffered a significant cyberattack, claimed by the Akira ransomware group, resulting in the exfiltration and subsequent dark web leak of extensive guest and employee data spanning decades. The attack caused operational difficulties and resulted in the loss of critical wildlife conservation research, leading to regulatory notification and the offering of credit monitoring to affected parties.
## Incident Details
- Discovery Date: Prior to January 2024 (Reported in January 2024)
- Incident Date: Occurred sometime "last year" (implying 2023 or earlier, finalized in early 2024)
- Affected Organization: Toronto Zoo
- Sector: Leisure/Public Attraction (Zoo/Conservation)
- Geography: Toronto, Ontario, Canada
## Timeline of Events
### Initial Access
- Date/Time: Not specified, occurred prior to discovery/reporting in Jan 2024.
- Vector: Not explicitly detailed (Likely a common ransomware vector such as RDP compromise or phishing, given the typical methods used by Akira).
- Details: Attackers gained access leading to the compromise of guest and personnel data.
### Lateral Movement
- Details: Attackers successfully navigated the network to access transaction data spanning back to 2000 and internal files related to current and former staff dating back to 1989.
### Data Exfiltration/Impact
- Date/Time: Data was copied and leaked on the dark web "last year."
- Details: Approximately 133 GB of data was stolen, including transaction data (names, addresses, phone numbers, emails for all visitors since 2000), partial credit card details (last four digits and expiration dates for transactions between Jan 2022 and April 2023), confidential agreements, personal files of employees/volunteers/donors, and critical decades-long wildlife conservation research.
### Detection & Response
- Date/Time: January 2024 (When formal notice followed analysis).
- Details: The zoo discovered the attack, conducted an analysis to determine data scope, notified affected current and former employees, volunteers, and donors. The incident was reported to the Office of the Information and Privacy Commissioner of Ontario (OIPC-O), which opened an investigation. Operational difficulties were experienced immediately following the attack.
## Attack Methodology
- Initial Access: Undisclosed (Likely via common initial vectors exploited by ransomware groups).
- Persistence: Undisclosed.
- Privilege Escalation: Undisclosed, but sufficient to access decades of historical and personnel files.
- Defense Evasion: Undisclosed.
- Credential Access: Implied, necessary to access broad scopes of personnel PII and operational files.
- Discovery: Implied, necessary to locate and categorize transaction data and research files.
- Lateral Movement: Implied, to move from initial access point to high-value data repositories.
- Collection: Comprehensive data collection, resulting in 133 GB exfiltrated.
- Exfiltration: Data was copied and subsequently leaked on the dark web.
- **Ransomware Group:** Akira.
- Impact: Data theft, potential encryption/disruption (implied by ransomware claim), loss of research data.
## Impact Assessment
- Financial: Unknown, but likely included costs for investigation, notification, credit monitoring services, and potential regulatory fines.
- Data Breach: **High Severity.** PII (Name, Address, Phone, Email) for all visitors (2000-2023). Partial PCI data for transactions (2022-2023). Extensive PII for staff/volunteers/donors (since 1989).
- Operational: Caused "days of operational difficulties."
- Reputational: High, involving a well-known public institution suffering a major data breach spanning over two decades of visitor data.
## Indicators of Compromise
- **Network Indicators:** None provided (URLs/IPs were not in the source text).
- **File Indicators:** Akira ransomware artifact indicators (not detailed).
- **Behavioral Indicators:** Possible large-scale egress traffic associated with 133 GB data collection.
## Response Actions
- **Containment:** Not explicitly detailed, but containment would have been necessary upon discovery to halt ongoing exfiltration/encryption.
- **Eradication:** Not detailed, assumed to involve system cleaning and potentially rebuilding core infrastructure.
- **Recovery:** Focused on business continuity and restoration of operational capabilities. Notified affected individuals and regulators. Offered credit monitoring services to current and former staff.
## Lessons Learned
- Loss of critical, decades-old operational data (wildlife research) can be as damaging as PII loss.
- Security controls failed to prevent the exfiltration of data spanning over 20 years.
- The organization experienced significant challenges in managing the aftermath, indicating a potential gap in rapid incident communication or data scope analysis.
## Recommendations
- Implement robust segmentation to limit the maximum scope of historical data accessible during a breach.
- Review and enhance backup and recovery strategies, particularly for mission-critical, historical research data, ensuring backups are immutable and isolated.
- Review access controls and data retention policies to minimize the amount of highly sensitive historical PII/PCI data retained.
- Enhance network monitoring to detect large-scale outbound data transfers indicative of exfiltration.