The Toronto Zoo recently provided its final update on the cyberattack that occurred in January 2024, revealing that visitor data dating back to 2000 had been compromised. In a detailed report, the zoo disclosed that personal information of individuals who purchased general admission tickets or zoo memberships between 2000 and April 2023 was stolen by ransomware attackers during the digital heist.
The stolen data included first and last names, home addresses, phone numbers, and email addresses, with credit card details such as the last four digits and expiration dates also being lifted for those who made transactions between January 2022 and April 2023. The zoo urged all affected individuals, as well as its guests and members, to remain vigilant against phishing and online fraud and to monitor their financial account statements regularly.
The Toronto Zoo reported the cyberattack to the Office of the Information and Privacy Commissioner of Ontario (IPC), which initiated an investigation into the matter. The IPC advised that affected individuals did not need to file separate complaints as they were already looking into the issue. With approximately 1.2 million visitors annually and 35,000 households participating in its membership program, the zoo emphasized the importance of data security in light of the breach.
In addition to visitor and member data being compromised, the zoo revealed that personal details of all current and former staff members dating back to 1989 were also accessed by the cybercriminals. Each affected individual was notified and offered credit monitoring services as a gesture of apology for the breach.
Although the zoo did not explicitly mention the term “ransomware” in its final update, it acknowledged that the cyberattack was orchestrated by the ransomware group known as Akira. Despite ongoing efforts to secure its IT infrastructure and collaboration with the City of Toronto’s Chief Information Security Office, Akira still claims to possess the zoo’s data containing sensitive information about animals, research, and personal files.
Akira gained notoriety in 2023 for targeting high-profile entities like Lush, Tietoevry, Stanford University, and Nissan Australia. Experts warned of Akira’s rising threat level in the ransomware landscape following the decline of previous dominant players like BlackCat and LockBit.
The Toronto Zoo expressed regret over the data breach and emphasized the measures taken to enhance its network defenses and detection capabilities to prevent future cyber incidents. Despite the challenges faced by employees and the loss of valuable wildlife conservation research, the zoo reassured its supporters of its commitment to maintaining data security and expressed gratitude for their ongoing support throughout the ordeal.
As the zoo continues to navigate the aftermath of the cyberattack, it remains focused on strengthening its cybersecurity measures to safeguard visitor, member, and staff data from potential threats in the future.