Skip to content

TransLink Cyber Incident

Information for current, past and retired employees


What happened

In December 2020, TransLink was the victim of a cyberattack. At that time, we took immediate action to shut down multiple computer systems as a protective measure.

Since the incident, we have been working tirelessly with cybersecurity experts to investigate what happened and determine what information may have been compromised.

We are also working closely with law enforcement agencies and the Office of the Information and Privacy Commissioner for BC.

 

What has the investigation found

The investigation is still underway. At this point, here’s what we know.

Investigators have confirmed the attackers unlawfully accessed a restricted network drive related to our payroll and benefits administration.

This drive contained the personal information of current, past and retired employees for TransLink, Coast Mountain Bus Company, BC Rapid Transit Company, West Coast Express, and Transit Police and a limited number of spouses of retired employees.

Unfortunately, we believe the attackers may have copied some of these files, which included banking information and social insurance numbers.

We want to reassure our customers that their payment information has not been affected. TransLink does not store Compass fare payment information. We use a secure third-party processor for all fare transactions and we do not have access to that data.

 

What happens next

TransLink will begin mailing personalized notification letters to any current, former, or retired employees or spouses of retired employees who are affected.

These letters will describe the personal information that was compromised and will outline how affected individuals can register for two years of credit monitoring services with TransUnion.

Credit monitoring services will be paid for by TransLink as a precautionary measure. If you are affected, you will receive a personalized activation code in the mail.

 

Where to find more information

We take this incident very seriously and will continue our investigation with the help of third-party cybersecurity experts and law enforcement agencies.

If any new information comes to light that would affect our current, former, or retired employees, we will notify you as quickly as possible.

In the meantime, we have prepared some resources (see below) that aim to answer any questions you may have.

If you have additional questions, you can also email cyberincident@translink.ca or speak to a representative at our TransLink Incident Response Centre at 1.833.971.3283.


Cyber Incident Information Session

On Tuesday, March 2, TransLink held two virtual Cyber Incident Information Sessions for former, retired and current employees of TransLink, BCRTC, CMBC and Transit Police to provide an update on the recent cyberattack, the ongoing investigation into the incident, and how it impacts all of us.

During the Information Session, attendees heard from Danny Timmins, National Cybersecurity Leader at MNP LLP, one of the largest business advisory firms in the country. They also heard from Timothy Walsh who is the Vice President of Breach and Cyber Risk Solutions at TransUnion. In addition to Danny and Timothy, there were also representatives from the leadership teams of TransLink, CMBC, BCRTC, and Transit Police on the call.

If you were unable to join either session on March 2, you can watch the hour-long video below.


FAQs

 

Notification letters

TransLink will begin mailing personalized notification letters to individuals whose sensitive personal information was compromised, starting in the middle of February.

As the investigation is ongoing, it could reveal at any time that additional sensitive personal information was compromised. Should this happen, TransLink will continue to issue further notification letters to affected individuals.

Please review your pay stub. If your address is incorrect or you have moved in the last 18 months or so and you are unable to access your pay stub to verify, please email employee.benefits@translink.ca with your current mailing address.

If you are a current employee and your address requires updating, for example, if your address is incorrect on your paystub or you have moved in the last 18 months, you can provide your updated address by emailing employee.benefits@translink.ca.

Yes. If you leave the organization, and your personal information was found to be compromised, you will receive a notification letter at the address we have on record for you. If you subsequently move, please update your mailing address with TransLink.

 

Compromised employee information

Why would someone steal my personal information and what could they do with it?

The short answer? To sell it and make money. This is about financial gain.

Cyber criminals often steal personal information, such as Social Insurance Numbers and dates of birth, in the hopes that other criminals will buy that information on the dark web.

The dark web is an unregulated part of the internet that isn’t accessible to people using typical internet browsers or through a search engine. It’s where criminals exchange information to conduct illegal activities.

A criminal may buy someone’s private information to commit fraud by opening a credit card, making online purchases, or taking out a loan in their name.

Dark Web monitoring is an option you can opt into through the credit monitoring service offered by TransUnion. It can alert you if criminals are exchanging your personal information on the dark web so you can take action to prevent your information from being misused.

For instance, if you learn that your email address or an account number has been found on the dark web, you can update the password you use to log into that account to a new, unique and complex password.

Why did BCRTC employees hear about this later than employees of other companies?

Investigators initially believed BCRTC and WCE employees may not have been affected by the breach. Unfortunately, that ultimately was not the case. BCRTC & WCE employees were notified on February 4th about the privacy breach, very soon after investigators made the discovery.

We are conducting a comprehensive forensic investigation to determine if any sensitive information was affected, including personal information. The investigation will be thorough and will take several months to complete. If we find any evidence that would suggest employee personal information was compromised, you will be notified by mail.

How do you define what is considered “sensitive personal information”?

Information such as your name, your title, or any information that could normally be found on a business card, is not considered “personal information” under privacy laws.

Your home phone number may be personal information but there is generally no real risk of significant harm if it alone is compromised so it’s not typically “sensitive.”

“Sensitive personal information” in the context of a cyber breach is information about an identifiable individual that could cause significant harm to the individual if the information was compromised, such as identity theft or fraud.

Your social insurance number could pose a genuine risk of significant harm if compromised, so it is “sensitive.”

Why was more of my information compromised than my coworkers?

One of the key folders that the attackers targeted was a payroll working file.

This folder we are referring to is not our PeopleSoft Server itself, where we store information, but it is a folder made up of sub-folders and files that have been created for different business reasons.

For example, a file may have information that includes calculations about someone’s vacation, and another may have information about T4s.

That is why the information accessed for each of you may have been different than another person’s and that is part of why those of you who are impacted have or will receive a personalized letter noting exactly what information we currently know has been accessed.

We are taking this cyberattack very seriously and must be meticulous, methodical, and thorough in our investigation. Unfortunately, this means the investigation will take some time to complete.

Once the attack was detected, we took swift and decisive steps to shut down nearly all our computing systems, to contain the threat. We immediately launched an investigation in early December, calling in third-party cybersecurity experts, as well as law enforcement agencies, to help investigate the attack and determine what information was accessed.

We have been working around the clock over the past three months to completely scrub our systems and remove any trace of the ransomware. At the same time, the I.T. team has also been working with third-party investigators to piece together exactly what folders, files, and information were accessed by the cybercriminals after they breached our security.

This investigation is a difficult, arduous, and painstaking process. It started when we became aware of the attack and will continue over the next few months. Many individuals across our enterprise, particularly on the I.T. team, have worked through holidays, weekends, and at all hours of the night to support the ongoing investigation.

If employees change the bank account into which their payroll or benefits are deposited, please be aware that Human Resources will not be able to process payroll or benefits for you. If you are concerned about your bank account, you can:

  • contact your financial institution to have a flag placed on your account, and

  • consider whether you want to arrange with your financial institution to have your payroll or benefits transferred into a different account as funds arrive into the existing account.

Whether you should change your banking information is your decision and we urge encourage you to discuss this with your bank. When discussing this with your bank, you should let them know that TransLink does not have your banking account PIN or password.

If you are an employee of TransLink, Transit Police or CMBC and you wish to change your banking information, you may do so by sending your direct deposit changes to pay.inquiries@translink.ca from an internal corporate address, or sending a hard copy to Payroll by internal mail (S755) or Canada Post or dropping it off at Sapperton. You will need to complete the direct deposit enrollment form. If you are a BCRTC or WCE employee, you may change your banking information by emailing payroll@bcrtc.bc.ca.

Why wasn’t my sensitive personal information protected? Why wasn’t all our sensitive information encrypted?

The folder in question was protected. It is a restricted folder which means that access was restricted to only the employees who required it for legitimate operational purposes, with strong identity management in place.

Data encryption is one but not the only method of protecting information. Due to how the cyberattack was executed, data encryption would not have prevented the attackers from breaking through or hacking into files.

The hackers undertook a sophisticated attack to infiltrate the protected files. Encryption is not an absolute guarantee to prevent criminals from gaining access.

All of that said, as part of our investigation and remediation efforts, we will continue to look for any opportunities to further strengthen and improve our physical and technical security measures.

What are the impacts on spouses and dependents? What are you doing to protect them?

As our investigation continues, spouses and dependents whose sensitive personal information was unlawfully accessed will receive an individual notification letter and be offered credit monitoring where warranted.

If you have additional concerns about a spouse with whom you have a joint bank account, we encourage you to speak to your bank about this.

 

Who is affected?

Notification letters will be sent to current, former and retired employees of TransLink and its subsidiaries whose sensitive personal information was found to be compromised. A limited number of spouses of retired employees will also be sent notification letters.

If TransLink identifies additional former or retired employees whose sensitive personal information has been compromised, it will send out further notification letters to those impacted individuals.

 

Credit monitoring and Fraud Protection Services

TransLink’s investigation has led it to believe that sensitive personal information has been compromised. TransLink will provide affected individuals with a notification letter detailing what specific sensitive personal information was compromised. To help mitigate any potential misuse of the sensitive personal information of affected individuals, TransLink is offering credit monitoring and fraud protection services.

Most companies offer one year of credit monitoring and fraud protection services when there has been a privacy breach. TransLink has offered two years of credit monitoring and fraud protection services for impacted individuals.

At this time, we are offering a two-year subscription to credit monitoring and fraud protection services for all current employees. Should you wish to subscribe for additional credit monitoring and fraud protection services, it is recommended that you wait until the two-year period is over before signing up for additional services. Any additional services will be at your own expense.

Why are affected individuals only receiving two years of credit monitoring?

The industry standard for credit monitoring services is for a period of one to two years, depending on the circumstances of the breach.

TransLink has decided to provide two years of credit monitoring through TransUnion. If you receive a notification letter, please follow the instructions on how to subscribe.

We are offering a two-year membership in credit monitoring and fraud prevention services to affected individuals. Upon completion of the enrollment process, you will have access to the following features:

  • Unlimited online access to the TransUnion Credit report, updated daily.

  • Unlimited online access to the TransUnion CreditVision® Risk score, with score factors and analysis updated daily.

  • TransUnion credit monitoring alerts with email notifications to key changes on a consumer’s credit file.

  • Unlimited access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention.

  • Identity theft insurance of up to $50,000 in coverage to protect against potential damages related to identity theft and fraud.

  • Dark Web Monitoring to provide monitoring of surface, social, deep, and dark websites for potentially exposed personal, identity and financial information in order to help protect consumers against identity theft.

Credit monitoring and fraud protection services do not stop identity theft or fraud from happening. It is used as a detection system to warn you of any suspicious activity that may impact your credit score. If you are alerted to credit activity that you did not authorize, contact the creditor immediately.

Why is TransLink using TransUnion and not both TransUnion and Equifax?

Equifax and TransUnion are credit monitoring agencies that provide very similar services, so having a subscription to both services wouldn’t be necessary.

Both agencies receive reports and updates from financial institutions relating to an individual’s credit files. They also both offer fraud alerts, which will encourage creditors or lenders to take extra steps to verify your identity before granting new credit.

The credit monitoring and fraud protection service being offered by TransLink is the TransUnion “My True Identity” service.

Although you may also have credit monitoring through another service provider, we strongly encourage you to sign up for the credit monitoring service TransLink is offering if you have received a notification letter and registration code.

If you ever believe you have been the victim of identity theft or have reason to believe your information is being misused, we urge you to immediately contact the police and file a police report. You can also contact the Canadian Anti-Fraud Centre at 1.888.495.8501 or visit antifraudcentre.ca. Make note of the police file number you are given in connection with the police report. If you see a fraudulent charge on your payment card, you should immediately contact the bank, credit union or other financial institution that issued your card. The phone number to call can be found on the back of the card. The bank, credit union or other financial institution might ask you if you have a police file number available, and you should provide it if you have it.

Credit monitoring and fraud protection services can alert you to suspicious activity on your credit file in time to stop it from happening. The package also includes identity theft insurance up to $50,000 to protect against potential damages in the event you are a victim of fraud. It is important to note that if your personal information was stolen, there is no certainty criminals will misuse your information, but there is a risk. A TransUnion two-year credit monitoring and fraud protection service subscription is offered to you free of charge. You are encouraged to sign up.

TransLink is offering credit monitoring and fraud prevention services in order to help protect you from falling victim to identity theft and fraud. However, receiving a notification letter or signing up for these services does not automatically mean you are the victim of identity theft. You should be vigilant about monitoring your credit report and your statements from your bank, credit card company and other financial institutions on a monthly basis. If you see transactions that you did not authorize, you should contact your financial institution immediately.

Warning signs vary but typical indicators may include:

  • Sudden and unwarranted changes to your credit score.

  • A notification from TransUnion indicating a change to your credit score, provided you have signed up for credit monitoring services.

  • Suspicious activity showing up in your credit report, such as accounts or inquiries from companies you do not recognize.

  • Unrecognized charges on your statements.

  • Bills received for items you did not purchase or apply for.

  • Credit card or other financial statements that you typically receive by mail stop showing up.

  • Collections agencies try to collect on defaulted accounts not opened by you.

  • Credit card providers or financial institutions advise you that they have approved or declined an application that you never submitted.

Please refer to this cyberattack resource for more information on steps you can take to protect yourself.

 

General Questions

In December 2020, TransLink was the target of a ransomware cyberattack on some of its IT infrastructure. TransLink employs a number of tools to prevent, identify and mitigate these types of attacks. Although TransLink has a robust cybersecurity program in place and conducts regular cybersecurity training, this incident shows that unfortunately no organization is immune. Upon detection, TransLink took immediate steps to isolate and shut down key IT assets and systems in order to contain the threat and reduce the impact on TransLink enterprise operations and infrastructure.

No customer payment information has been affected as a result of this cyberattack. TransLink does not store Compass fare payment information. We use a secure third-party processor for all fare transactions, and we do not have access to that data.

We are taking this cyberattack very seriously and must be meticulous, methodical, and thorough in our investigation. Unfortunately, this means the investigation will take some time to complete.

Once the attack was detected, we took swift and decisive steps to shut down nearly all our computing systems, to contain the threat. We immediately launched an investigation in early December, calling in third-party cybersecurity experts, as well as law enforcement agencies, to help investigate the attack and determine what information was accessed.

We have been working around the clock over the past three months to completely scrub our systems and remove any trace of the ransomware. At the same time, the I.T. team has also been working with third-party investigators to piece together exactly what folders, files, and information were accessed by the cybercriminals after they breached our security.

This investigation is a difficult, arduous, and painstaking process. It started when we became aware of the attack and will continue over the next few months. Many individuals across our enterprise, particularly on the I.T. team, have worked through holidays, weekends, and at all hours of the night to support the ongoing investigation.

The investigation has confirmed that attackers accessed a restricted network drive and copied files containing some personal information related to payroll and benefit administration for current employees of TransLink and its subsidiaries, some former and retired employees, and a limited number of spouses of retired employees. These restricted network drives held files that contained banking information and social insurance numbers.

TransLink will begin mailing personalized notification letters to individuals whose sensitive personal information was compromised starting in mid-February. We will also be offering those individuals complimentary two-year credit monitoring and fraud protection services.

Why would someone steal my personal information and what could they do with it?

The short answer? To sell it and make money. This is about financial gain.

Cyber criminals often steal personal information, such as Social Insurance Numbers and dates of birth, in the hopes that other criminals will buy that information on the dark web.

The dark web is an unregulated part of the internet that isn’t accessible to people using typical internet browsers or through a search engine. It’s where criminals exchange information to conduct illegal activities.

A criminal may buy someone’s private information to commit fraud by opening a credit card, making online purchases, or taking out a loan in their name.

Dark Web monitoring is an option you can opt into through the credit monitoring service offered by TransUnion. It can alert you if criminals are exchanging your personal information on the dark web so you can take action to prevent your information from being misused.

For instance, if you learn that your email address or an account number has been found on the dark web, you can update the password you use to log into that account to a new, unique and complex password.

How do you define what is considered “sensitive personal information”?

Information such as your name, your title, or any information that could normally be found on a business card, is not considered “personal information” under privacy laws.

Your home phone number may be personal information but there is generally no real risk of significant harm if it alone is compromised so it’s not typically “sensitive.”

“Sensitive personal information” in the context of a cyber breach is information about an identifiable individual that could cause significant harm to the individual if the information was compromised, such as identity theft or fraud.

Your social insurance number could pose a genuine risk of significant harm if compromised, so it is “sensitive.”

Why wasn’t my sensitive personal information protected? Why wasn’t all our sensitive information encrypted?

The folder in question was protected. It is a restricted folder which means that access was restricted to only the employees who required it for legitimate operational purposes, with strong identity management in place.

Data encryption is one but not the only method of protecting information. Due to how the cyberattack was executed, data encryption would not have prevented the attackers from breaking through or hacking into files.

The hackers undertook a sophisticated attack to infiltrate the protected files. Encryption is not an absolute guarantee to prevent criminals from gaining access.

All of that said, as part of our investigation and remediation efforts, we will continue to look for any opportunities to further strengthen and improve our physical and technical security measures.

What are the impacts on spouses and dependents? What are you doing to protect them?

As our investigation continues, spouses and dependents whose sensitive personal information was unlawfully accessed will receive an individual notification letter and be offered credit monitoring where warranted.

If you have additional concerns about a spouse with whom you have a joint bank account, we encourage you to speak to your bank about this.

Will TransLink be providing mental health support, such as access to the Employee & Family Assistance Program, to former employees and/or their spouses? This situation could have negative impacts on people’s mental health, especially seniors who may be feeling isolated due to the pandemic.

We truly understand how distressing this situation is. TransLink is pleased to extend Homewood Health’s Employee & Family Assistance Program (EFAP) services to former employees, retirees, and eligible spouses who have been impacted by the recent cyberattack. EFAP services are available effective immediately up to Dec. 31, 2021.

The EFAP services provided by Homewood Health is a professional, confidential and proactive service to support a wide range of personal concerns such as dealing with stress, anxiety, life transitions/change, coping with health issues and more. There are also many other online health and wellness resources and tools available. The EFAP service is available 24 hours a day, seven days a week. Homewood Health can offer in-person or phone-in counselling services.

For more information, you can visit their website at homewoodhumansolutions.com or call Homewood Health at 1.800.663.1142 and please identify yourself as a former employee, retiree, or spouse of a former employee of TransLink, Coast Mountain Bus Company, BC Rapid Transit Company, or Metro Vancouver Transit Police.

 

Notification letters

TransLink will begin mailing personalized notification letters to those current, former and retired employees and a limited number of spouses of retired employees whose sensitive personal information was compromised, starting in the middle of February.

Starting the week of February 16, please contact the TransLink Incident Response Centre at 1.833.971.3283 to update your mailing address. You will be asked to provide certain information in order to verify your identity. We will reconcile the information you provide with the information in our records and will mail updated letters in due course.

If you are a former employee or retiree, please contact the TransLink Incident Response Centre to update your address. The TransLink Incident Response Centre has a list of all those who received a letter so they can confirm if your information was compromised. They will be asking for information to confirm your identity.

TransLink is continuing with its investigation to determine what files may have been unlawfully accessed, including personal information. As the investigation is ongoing, it could reveal at any time that additional sensitive personal information was compromised. Should this happen, TransLink will continue to issue further notification letters to affected individuals. TransLink is following all the appropriate steps and guidelines set out by the Office of the Information and Privacy Commissioner for BC in these circumstances.

Notification letters will be issued to a limited number of spouses of retired employees whose sensitive personal information was found to be compromised.

If TransLink identifies additional spouses of retired employees whose sensitive personal information has been compromised, it will send out additional notification letters and will continue to do so until the investigation is complete.

 

Credit monitoring

TransLink is committed to offering a two-year subscription to credit monitoring and fraud protection services to all affected individuals where warranted based on an assessment of the nature of the compromised information. If you receive a notification letter, it will describe the specific sensitive personal information that was compromised and, if applicable, provide details on how to enroll in complimentary credit monitoring and fraud protection services with TransUnion.

Why are affected individuals only receiving two years of credit monitoring?

The industry standard for credit monitoring services is for a period of one to two years, depending on the circumstances of the breach.

TransLink has decided to provide two years of credit monitoring through TransUnion. If you receive a notification letter, please follow the instructions on how to subscribe.

Why did it take so long to offer credit monitoring and fraud protection to retired and former employees?

The investigation is ongoing, and we are uncovering information along the way. At the end of December, we learned that current employees of TransLink, CMBC and Transit Police were impacted. We later learned that employees of BCRTC were impacted. It wasn’t until recently that we learned that some former employees and retirees were also impacted.

Should you receive a personalized notification letter, it will describe the specific sensitive personal information that we have determined was compromised and provide instructions on how to enroll in complimentary credit monitoring and fraud protection services with TransUnion.

Credit monitoring and fraud protection services does not stop identity theft or fraud from happening. It is used as a detection system to warn you of any suspicious activity that may impact your credit score. If you are alerted to credit activity that you did not authorize, contact the creditor immediately.

TransLink is offering credit monitoring and fraud prevention services to all current employees and affected retired and former employees in order to help protect you from potentially falling victim to identity theft and fraud. However, receiving a notification letter or being offered these services does not automatically mean you are the victim of identity theft. You should be vigilant about monitoring your credit report and statements from your bank, credit card company and other financial institutions on a monthly basis. If you see transactions that you did not authorize, you should contact your financial institution immediately.

If you ever believe you have been the victim of identity theft or have reason to believe your information is being misused, we urge you to immediately contact the police and file a police report. You can also contact the Canadian Anti-Fraud Centre at 1.888.495.8501, or visit antifraudcentre.ca. Make note of the police file number you are given in connection with the police report. If you see a fraudulent charge on your payment card, you should immediately contact the bank, credit union or other financial institution that issued your card. The phone number to call can be found on the back of the card. The bank, credit union or other financial institution might ask you if you have a police file number available, and you should provide it if you have it.

Warning signs vary but typical indicators may include:

  • Sudden and unwarranted changes to your credit score.

  • A notification from TransUnion indicating a change to your credit score, provided you have signed up for credit monitoring services.

  • Suspicious activity showing up in your credit report, such as accounts or inquiries from companies you do not recognize.

  • Unrecognized charges on your statements.

  • Bills received for items you did not purchase or apply for.

  • Credit card or other financial statements that you typically receive by mail stop showing up.

  • Collections agencies try to collect on defaulted accounts not opened by you.

  • Credit card providers or financial institutions advise you that they have approved or declined an application that you never submitted.

Should I change my banking information?

Whether you should change your banking information is your decision and we urge encourage you to discuss this with your bank. When discussing this with your bank, you should let them know that TransLink does not have your banking account PIN or password.

If you are a retiree and wish to change banking information relating to the administration of your pension, you will need to update your banking information through your Public Service Pension Plan. You have the option to update your banking information in your MyAccount or you can complete and submit a direct deposit form.

Please go to the Public Service Plan Website and search “how to manage banking information” for details or contact the Public Service Pension Plan directly. You will be asked for information to verify your account.

Why is TransLink using TransUnion and not both TransUnion and Equifax?

Equifax and TransUnion are credit monitoring agencies that provide very similar services, so having a subscription to both services wouldn’t be necessary.

Both agencies receive reports and updates from financial institutions relating to an individual’s credit files. They also both offer fraud alerts, which will encourage creditors or lenders to take extra steps to verify your identity before granting new credit.

The credit monitoring and fraud protection service being offered by TransLink is the TransUnion “My True Identity” service.

Although you may also have credit monitoring through another service provider, we strongly encourage you to sign up for the credit monitoring service TransLink is offering if you have received a notification letter and registration code.

TransLink takes this matter very seriously. In order to assist you with any questions you may have regarding this incident, TransLink has established a call centre specifically dedicated to answering questions. You can reach the TransLink Incident Response Centre at 1.833.971.3283 Monday to Friday from 7:30 a.m. to 5:00 p.m. PST (excluding statutory holidays). In addition, you can email cyberincident@translink.ca.


TransLink

Sorry, your website browser is no longer supported.

Upgrade to one of these browsers to visit translink.ca: