The Toronto Public Library confirmed that the personal information of employees, customers, volunteers, and donors was stolen from a compromised file server during an October ransomware attack. According to TPL, the attackers stole "a large number of files from a file server" containing data of Toronto Public Library and the Toronto Public Library Foundation employees, going back to 1998. "Information related to these individuals was likely taken, including their name, social insurance number, date of birth and home address. Copies of government-issued identification documents provided to TPL by staff were also likely taken," the library said in an update to its incident report. "Our cardholder and donor databases are not affected. However, some customer, volunteer and donor data that resided on the compromised file server may have been exposed." The library has yet to disclose what customer data was stolen and how many customers were affected by the data breach. As Canada's largest public library system, TPL operates on a budget exceeding $200 million, has a membership base of 1,200,000 registered individuals, and provides access to 12 million books across 100 branch libraries throughout the city. While the library hasn't yet attributed the attack to a specific ransomware operation, BleepingComputer has learned that the Black Basta ransomware gang was behind the October 28 attack after seeing a photo of a ransom note shown on a TPL workstation. As a TPL employee told BleepingComputer, the attack occurred overnight on October 27, disrupting numerous services by Saturday morning. We were also told that the attack had minimal impact on TPL's email services and didn't affect the library's phone system. The organization's primary servers were also not encrypted, hinting at the possibility that the Black Basta operators didn't have full access to the library's networks and data. As a precautionary measure to prevent the spread of the malware, TPL shut down all other internal systems after the attack was detected. Black Basta emerged as a Ransomware-as-a-Service operation in April 2022, with double-extortion attacks targeting many corporate entities. After the Conti ransomware gang stopped operating in June 2022 following a sequence of humiliating data breaches, the cybercrime syndicate fragmented into smaller factions, one of which is presumed to be Black Basta. "The threat group's prolific targeting of at least 20 victims in its first two weeks of operation indicates that it is experienced in ransomware and has a steady source of initial access," the Department of Health and Human Services security team said in March. "The level of sophistication by its proficient ransomware operators, and reluctance to recruit or advertise on Dark Web forums, supports why many suspect the nascent Black Basta may even be a rebrand of the Russian-speaking RaaS threat group Conti, or also linked to other Russian-speaking cyber threat groups." MGM Resorts ransomware attack led to $100 million loss, data theft. Motel One discloses data breach following ransomware attack. Maine govt notifies 1.3 million people of MOVEit data breach. McLaren Health Care says data breach impacted 2.2 million people. Kyocera AVX says ransomware attack impacted 39,000 individuals.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000