The Greater Toronto Airports Authority (GTAA), operator of Toronto Pearson International Airport, confirmed in March 2023 that a significant cyberattack had exposed personal and financial information of employees. The breach affected critical infrastructure supporting Canada's busiest airport and raised concerns about the security of essential transportation infrastructure. The incident demonstrated that even well-resourced critical infrastructure organisations remain vulnerable to sophisticated cyber attacks.
What Happened
The GTAA discovered unauthorised access to employee systems during cybersecurity incident investigations in February 2023. Forensic analysis revealed that threat actors had gained initial access through a vulnerable remote access system that had insufficient authentication controls. The attackers leveraged this access to move laterally across the GTAA network, eventually compromising employee human resources and payroll systems.
The threat actors maintained undetected access to GTAA systems for approximately four weeks before discovery occurred. During this time, they exfiltrated employee personal and financial data, including names, addresses, employee identification numbers, and banking information for payroll purposes. The GTAA engaged external forensic investigators and worked with law enforcement to contain the incident and determine the full scope of the compromise.
Scope and Affected Information
The cyberattack affected approximately 1,850 GTAA employees and contractors, including:
- Employee names, addresses, and date of birth information
- Employee identification numbers and job title information
- Banking account information used for payroll direct deposit
- Social Security and social insurance numbers
- Some employee personal phone numbers and email addresses
- Tax information from T4 and similar employment tax documents
- Compensation and benefits information
Notably, the attack did not affect critical airport operational systems, including air traffic control, baggage handling, or security screening systems. Airport operations continued without disruption, though the GTAA undertook enhanced security measures to prevent any lateral movement to operational technology systems.
Impact on Employees and Critical Infrastructure
GTAA employees faced elevated risk of identity theft and fraud due to exposure of comprehensive personal and financial information. The exposure of banking account information for payroll purposes created opportunities for threat actors to conduct fraudulent transactions or access employee accounts through additional credential theft attempts.
The incident raised broader questions about security of critical infrastructure operators and the extent to which employee data breaches might increase vulnerability to social engineering attacks targeting critical infrastructure. If threat actors possessed employee information and access to banking systems, they potentially could use this information to impersonate employees during subsequent attacks targeting infrastructure systems.
GTAA's Response
Following discovery of the breach, the GTAA implemented comprehensive response measures:
- Immediately isolated affected systems from the network to prevent further data exfiltration
- Engaged external cybersecurity forensic firms for comprehensive investigation
- Notified all affected employees directly about the breach
- Offered complimentary credit monitoring and identity theft protection services
- Recommended password resets and monitoring for fraudulent account activity
- Collaborated with law enforcement agencies and RCMP to investigate the incident
- Enhanced authentication controls on remote access systems
- Implemented network segmentation to isolate employee systems from operational technology
Lessons Learned
The GTAA cyberattack illustrates several critical lessons for critical infrastructure organisations. First, remote access systems warrant particular security attention, as they represent common initial access points for threat actors. Remote access should be protected with strong multi-factor authentication, network segmentation, and continuous monitoring.
Second, the incident demonstrates the importance of network segmentation in critical infrastructure environments. By maintaining separated network segments for employee systems and operational technology, the GTAA prevented threat actors from compromising airport operations. Critical infrastructure organisations must implement strict separation between administrative networks and operational networks.
Third, the breach highlights the cascading risks of employee data exposure at critical infrastructure operators. Access to employee information combined with banking details could be leveraged for subsequent attacks targeting infrastructure itself.
How CyberSafe Can Help
CyberSafe's Cyber Defense Services help critical infrastructure organisations implement strong authentication and access controls on remote access systems. Our Network Segmentation Consulting assists organisations in implementing architecture that isolates critical operational systems from administrative networks. Through Managed Security Services, we provide 24/7 monitoring of critical systems to detect breach activity before large-scale data exfiltration occurs.