1 million books and 4 months later, Toronto's library recovers from a cyberattack
Returned books have been piling up in storage after nearly 5,000 computers went dark
More than four months after a ransomware attack shut down the Toronto Public Library's computer systems, staff are finally putting a million stranded books back on the shelves.
At the library's distribution centre in the east end of the city, Domenic Lollino wheeled pallet after pallet of library books off a tractor-trailer — one of 15 such vehicles storing those books that were returned while the electronic cataloguing system was down.
"It's a big backlog," he said, and it means employees like him are working 12-hour shifts to get through it all.
According to the library's website, the TPL is the busiest urban public library system in the world. Members borrowed from its 11 million lendable items around 27 million times in 2022, and its distribution centre services all 100 branches.
But time stalled here in October, and it shows. Visible atop chest-high stacks of books are countless children's titles about fall and Halloween, all returned after cybercriminals downed the systems required to put them back on the shelves.
Now, the conveyor belts of the giant "sorter" machine are back up and running, loudly sorting those books into bins destined for branches across the city.
The TPL has been tight-lipped about who was behind the attack that downed systems on Oct. 28 and what their demands were, but it has said publicly that cybercriminals encrypted their computer systems and stole employee data. The library has also said it didn't pay a ransom to restore its systems. Instead, it chose to rebuild them — all while keeping its doors open to the public.
The restoration of its downed services — which includes the return of nearly 5,000 employee and public computers — is a relief to library staff who have had to resort to analog workarounds for many of their daily tasks.
"We had to think through really quickly how we were going to provide as many services as possible," said Jan Dawson, an area manager who runs 18 branches in the city's west end.
"That involved, in the early days, pen and paper and writing down bar codes and keeping that circulation going."
As recently as last month, librarians at the Richview Branch in the west end were storing returned books in cardboard boxes in a corner of the library. Patrons hooked up to Wi-Fi using their own devices and browsed increasingly sparse bookshelves without the help of a library catalogue.
Standing amid the piles of boxes in January, Dawson said staff created resource lists for library patrons who needed to find alternative ways to access critical public computers and printing services. "But nothing in the neighbourhood really is at the scale that we're at," she said.
A recent TPL survey of its users found that, for 80 per cent of respondents, the library's branches were the only place where they could access the internet.
Libraries also help the city's underserved populations in other ways, including by providing warmth and shelter for those who need it, and opportunities for newcomers to contact relatives overseas.
"Libraries are an important pillar in the community. It's the last free space, pretty much, that's available for anyone," Dawson told CBC News's The National.
Maureen Philips, a regular at the Lillian H. Smith branch in the downtown core, said she's looking forward to the return of the online book reserve system so she can take out bestsellers and travel books again.
"I keep waiting for my email saying there's this flood of books just sitting under your name," she said.
Ian Charlton said he uses the library for everything from a "safe haven" to taking out books and magazines and DVDs. Though he said the service disruption didn't really affect how he uses the library, he said it's good to see the library back online.
"My most honest statement is that hackers suck," he said.
CBC News looked through ransomware groups' websites on the dark web, and found numerous instances where Canadian businesses — both for-profit and nonprofit — had supposedly been hacked, with alleged victims ranging from a bakery to an energy company.
Hackers often listed company names and logos, alongside descriptions of the information they purported to have taken. Examples included images of employee passports and drivers' licences — all seemingly available for download. CBC News did not attempt to download any data.
One ransomware group's website looked almost corporate in design with a "contact us" link in the upper right-hand corner. CBC News attempted to reach out to the group, which has been linked to a number of Canadian cyberattacks, to learn more about how they pick their targets. The group did not respond.
"How these groups actually work is they hack anything that they are actually able to get into, and unfortunately sometimes it's a library, sometimes it's a company with a lot of money," said Bob McArdle, a researcher with cybersecurity software giant Trend Micro in Cork, Ireland.
Different ransomware groups will have different codes of conduct, he says.
"Some of them, for example, will clearly say: We do not hack hospitals, we do not hack government targets, and so on," he said. "Others just don't care."
McArdle says ransomware groups tend to be made up of career criminals, who treat hacking like a professional nine-to-five job.
"These are people who have been doing this for a very long time," he said.
Often located in the Russian-speaking world, "they think that there is very little chance of them being arrested in their own country, as long as they don't actually target victims in their own countries."
In short, hackers are experts, McArdle said, and a tough adversary for employees of businesses around the world who don't themselves work in cybersecurity.
The Communications Security Establishment (CSE), the country's cryptologic agency and an authority on cybersecurity, said in an email that cyberattacks are increasing worldwide, but that "the vast majority of incidents go unreported."
That's a problem, said CSE spokesperson Janny Bender Asselin, "because it means we only have a partial picture of the threats that are out there."
Some businesses do pay the ransom — though McArdle says the number appears to be decreasing.
"The important thing to realize is the criminal groups know not everybody is going to pay," he said. "In fact, they account for that in their business model."
As a result, he said, everyone who does pay is essentially financing future ransomware attacks.
In the case of the Toronto Public Library, victims include the employees themselves. Cybercriminals not only encrypted library files, but stole employee data, including social insurance numbers, home addresses and copies of government-issued identification documents that they'd provided to their employer. The library is still investigating the full extent of the data breach, including whether any customer, donor or volunteer information was taken.
"For all of us, knowing that our data is somewhere has been quite challenging and difficult," said Dawson, the branch manager.
"As information professionals, we go to great lengths to protect your data and your privacy as a customer, so it's really taking a lot to process. I think we're all still processing it."