Toronto Zoo says patrons' transaction data leaked on dark web in 2024 cyberattack

The Toronto Zoo says a copy of transaction data from its guests and members — including names, addresses and credit card information — was taken and "leaked on the dark web" in a cybersecurity attack on its computer systems more than a year ago.

In an update posted on its website Friday, the zoo said the data taken and leaked due the ransomware attack that happened in January 2024 included information about all guests and members who paid general admission and made membership purchases between 2000 and April 2023. 

The zoo said the compromised data includes first and last names, and in some cases, street address information, phone numbers and email addresses. And for guests and members who made credit card transactions between January 2000 and April 2023, the data includes the last four digits of credit card numbers and associated expiration dates.

"The way the data was leaked has made it difficult to download. It is currently not published, though this could change," the zoo said in the update. 

"We encourage those affected and all our guests and members to be vigilant, and to carefully examine uninvited and suspicious communications and to regularly check financial account statements."

Patrons like Deborah McMillan told CBC Toronto Saturday that they've been unsettled by the news, and would be checking in with their banks and credit card companies immediately.

"I've had a annual membership for years, so to have that data now potentially out there, it's scary," she said. "It's a scary world we live in right now, and it's just too bad that things can be compromised so easily."

According to the zoo, the privacy breach was reported on Jan. 17, 2024 after the personal data was stolen from a compromised file server. At the time, the zoo believed that current and former staff employed by the zoo from 1989 and a small number of volunteers were affected.

The zoo said the cyberattack did not directly affect its customer information system at the time of the attack, but there was some guest and member data on one of the affected servers.

The zoo began data recovery and analysis immediately following the cyber incident, which was "a very time-consuming process," the update says. Based on this work, the zoo said its providing an update to people whose data was affected.

"This cyber incident has been extremely challenging for us, particularly our current and past employees who had personal information compromised but also due to the loss of decades of wildlife conservation research that was lost as well," the zoo said. 

Since this incident, the zoo said it has taken "significant steps" to ensure its information technology is more secure and it's working with the city's chief information security office to better protect its information and security problems.

The cyberattack was reported to Ontario's Office of the Information and Privacy Commissioner and is being investigated. Individuals affected by the cyberattack do not need to open separate complaints, the zoo said.

Zoo likely followed best practices, says cybersecurity expert

These cyberattacks are not uncommon and the Toronto zoo was likely following best practices, says cybersecurity expert Francis Syms, who is associate dean of the faculty of applied sciences and technology at Humber Polytechnic.

Companies have increasingly been moving sensitive data online so employees can access it remotely, especially since the COVID-19 pandemic, he says, and Ontario has already seen similar cyberattacks in recent years, including one in 2023 that affected a large number of hospital paitents.

"The unfortunate reality is that, generally, when companies connect their systems to the internet, they just make everything available, which is really ripe, low-hanging fruit for hackers," Syms said in an interview.

"I would say that the Toronto Zoo didn't do anything wrong, per se. They just followed the best practice for the industry," Syms said. "But I think we're at the point now where that best practice is starting to change."

Syms said many companies are starting to move sensitive data off the internet and onto internal servers, making it harder for hackers to access. Companies can also reduce the risk of cyberattacks, he says, by using multi-factor authentication to access sensitive data, so stolen passwords won't lead to breaches.

There are also professional consultants who can help boost cybersecurity, he says. 

Syms recommends that anyone who feels their financial information may have been compromised should contact their bank or credit card company to explain what happened and ask for advice on how to be sure their information isn't being misused.