Soon after we first discovered the cyberattack on our systems in early January 2024, we notified affected employees, former employees, volunteers and donors. Since then, we have done extensive analysis to determine the full scope of the data breach and to notify those affected, and are now providing our final notification to those who had data exposed. We are taking a transparent and precautionary approach in issuing this notification, which the Zoo considers involves information of limited sensitivity.
Affected individuals
A copy of transaction data was taken and was leaked on the dark web last year. The way the data was leaked has made it difficult to download. It is currently not published, though this could change. The data includes information about all guests and members who engaged the following types of transactions between 2000 to April 2023:general admission and membership purchases. The data that was compromised includes:
- transaction data including first and last names, and in some records street address information, phone numbers and e-mail address information; and
- (only for guests and members making credit card transactions between January 2022 and April 2023), the last four digits of credit card numbers and associated expiration dates.
Phishing and online fraud is ever present today. We encourage those affected and all our guests and members to be vigilant, and to carefully examine uninvited and suspicious communications and to regularly check financial account statements.
Your Toronto Zoo has reported this matter to the Office of the Information and Privacy Commissioner of Ontario (the IPC) and an investigation file has been opened. The IPC has advised that it is not necessary for you to file a complaint as they are already investigating the matter. You can visit the IPC’s website at https://www.ipc.on.ca/en.
Prior notification
We announced a privacy breach on January 17, 2024, indicating that personal data was stolen from a compromised file server. Toronto Zoo advised that it believed current and former staff employed by the Zoo from 1989 and a small number of volunteers were impacted, provided information about the data exposed, and offered credit monitoring given the nature of the exposed information.
The Zoo’s customer information system in place at the time of the attack was not directly affected. However, some guests and member data resided on one of the affected servers. Toronto Zoo began data recovery and analysis immediately following the cyber incident, which has been a very time-consuming process. Based on this work, Toronto Zoo is providing this general notification to provide an update to any impacted individuals.
Additional information
This cyber incident has been extremely challenging for us, particularly our current and past employees who had personal information compromised but also due to the loss of decades of wildlife conservation research that was lost as well. Since this incident, we have taken significant steps to ensure our information technology is more secure and have been working closely with the City of Toronto’s Chief Information Security Office and we are grateful for their expertise and ongoing support. Our enhancements will give us significantly better network defenses and better ability to detect security problems.
As we conclude our response with this notification, we would also like to express our heartfelt gratitude to our employees, volunteers, Zoo members, guests and our community supporters for their patience and understanding as we worked through this challenge together.
For further information about this matter please contact [email protected].