Skip to content

TransLink Cyber Incident

Information for current, past and retired employees


What happened

In December 2020, TransLink was the victim of a cyberattack. At that time, we took immediate action to shut down multiple computer systems as a protective measure.

Since the incident, we have been working tirelessly with cybersecurity experts to investigate what happened and determine what information may have been compromised.

We are also working closely with law enforcement agencies and the Office of the Information and Privacy Commissioner for BC.

 

What has the investigation found

The investigation is still underway. At this point, here’s what we know.

Investigators have confirmed the attackers unlawfully accessed a restricted network drive related to our payroll and benefits administration.

This drive contained the personal information of current, past and retired employees for TransLink, Coast Mountain Bus Company, BC Rapid Transit Company, West Coast Express, and Transit Police and a limited number of spouses of retired employees.

Unfortunately, we believe the attackers may have copied some of these files, which included banking information and social insurance numbers.

We want to reassure our customers that their payment information has not been affected. TransLink does not store Compass fare payment information. We use a secure third-party processor for all fare transactions and we do not have access to that data.

 

What happens next

TransLink will begin mailing personalized notification letters to any current, former, or retired employees or spouses of retired employees who are affected.

These letters will describe the personal information that was compromised and will outline how affected individuals can register for two years of credit monitoring services with TransUnion.

Credit monitoring services will be paid for by TransLink as a precautionary measure. If you are affected, you will receive a personalized activation code in the mail.

 

Where to find more information

We take this incident very seriously and will continue our investigation with the help of third-party cybersecurity experts and law enforcement agencies.

If any new information comes to light that would affect our current, former, or retired employees, we will notify you as quickly as possible.

In the meantime, we have prepared some resources (see below) that aim to answer any questions you may have.

If you have additional questions, you can also email cyberincident@translink.ca or speak to a representative at our TransLink Incident Response Centre at 1.833.971.3283.


Cyber Incident Information Session

On Tuesday, March 2, TransLink held two virtual Cyber Incident Information Sessions for former, retired and current employees of TransLink, BCRTC, CMBC and Transit Police to provide an update on the recent cyberattack, the ongoing investigation into the incident, and how it impacts all of us.

During the Information Session, attendees heard from Danny Timmins, National Cybersecurity Leader at MNP LLP, one of the largest business advisory firms in the country. They also heard from Timothy Walsh who is the Vice President of Breach and Cyber Risk Solutions at TransUnion. In addition to Danny and Timothy, there were also representatives from the leadership teams of TransLink, CMBC, BCRTC, and Transit Police on the call.

If you were unable to join either session on March 2, you can watch the hour-long video below.


FAQs

 

Notification letters

TransLink will begin mailing personalized notification letters to individuals whose sensitive personal information was compromised, starting in the middle of February.

As the investigation is ongoing, it could reveal at any time that additional sensitive personal information was compromised. Should this happen, TransLink will continue to issue further notification letters to affected individuals.

Please review your pay stub. If your address is incorrect or you have moved in the last 18 months or so and you are unable to access your pay stub to verify, please email employee.benefits@translink.ca with your current mailing address.

Yes. If you leave the organization, and your personal information was found to be compromised, you will receive a notification letter at the address we have on record for you. If you subsequently move, please update your mailing address with TransLink.

 

Compromised employee information

Why would someone steal my personal information and what could they do with it?

The short answer? To sell it and make money. This is about financial gain.

Cyber criminals often steal personal information, such as Social Insurance Numbers and dates of birth, in the hopes that other criminals will buy that information on the dark web.

The dark web is an unregulated part of the internet that isn’t accessible to people using typical internet browsers or through a search engine. It’s where criminals exchange information to conduct illegal activities.

A criminal may buy someone’s private information to commit fraud by opening a credit card, making online purchases, or taking out a loan in their name.

Dark Web monitoring is an option you can opt into through the credit monitoring service offered by TransUnion. It can alert you if criminals are exchanging your personal information on the dark web so you can take action to prevent your information from being misused.

For instance, if you learn that your email address or an account number has been found on the dark web, you can update the password you use to log into that account to a new, unique and complex password.

Why did BCRTC employees hear about this later than employees of other companies?

Investigators initially believed BCRTC and WCE employees may not have been affected by the breach. Unfortunately, that ultimately was not the case. BCRTC & WCE employees were notified on February 4th about the privacy breach, very soon after investigators made the discovery.

We are conducting a comprehensive forensic investigation to determine if any sensitive information was affected, including personal information. The investigation will be thorough and will take several months to complete. If we find any evidence that would suggest employee personal information was compromised, you will be notified by mail.

How do you define what is considered “sensitive personal information”?

Information such as your name, your title, or any information that could normally be found on a business card, is not considered “personal information” under privacy laws.

Your home phone number may be personal information but there is generally no real risk of significant harm if it alone is compromised so it’s not typically “sensitive.”

“Sensitive personal information” in the context of a cyber breach is information about an identifiable individual that could cause significant harm to the individual if the information was compromised, such as identity theft or fraud.

Your social insurance number could pose a genuine risk of significant harm if compromised, so it is “sensitive.”

Why was more of my information compromised than my coworkers?

One of the key folders that the attackers targeted was a payroll working file.

This folder we are referring to is not our PeopleSoft Server itself, where we store information, but it is a folder made up of sub-folders and files that have been created for different business reasons.

For example, a file may have information that includes calculations about someone’s vacation, and another may have information about T4s.

That is why the information accessed for each of you may have been different than another person’s and that is part of why those of you who are impacted have or will receive a personalized letter noting exactly what information we currently know has been accessed.

We are taking this cyberattack very seriously and must be meticulous, methodical, and thorough in our investigation. Unfortunately, this means the investigation will take some time to complete.

Once the attack was detected, we took swift and decisive steps to shut down nearly all our computing systems, to contain the threat. We immediately launched an investigation in early December, calling in third-party cybersecurity experts, as well as law enforcement agencies, to help investigate the attack and determine what information was accessed.

We have been working around the clock over the past three months to completely scrub our systems and remove any trace of the ransomware. At the same time, the I.T. team has also been working with third-party investigators to piece together exactly what folders, files, and information were accessed by the cybercriminals after they breached our security.

This investigation is a difficult, arduous, and painstaking process. It started when we became aware of the attack and will continue over the next few months. Many individuals across our enterprise, particularly on the I.T. team, have worked through holidays, weekends, and at all hours of the night to support the ongoing investigation.

If employees change the bank account into which their payroll or benefits are deposited, please be aware that Human Resources will not be able to process payroll or benefits for you. If you are concerned about your bank account, you can:

  • contact your financial institution to have a flag placed on your account, and

  • consider whether you want to arrange with your financial institution to have your payroll or benefits transferred into a different account as funds arrive into the existing account.

Why wasn’t my sensitive personal information protected? Why wasn’t all our sensitive information encrypted?

The folder in question was protected. It is a restricted folder which means that access was restricted to only the employees who required it for legitimate operational purposes, with strong identity management in place.

Data encryption is one but not the only method of protecting information. Due to how the cyberattack was executed, data encryption would not have prevented the attackers from breaking through or hacking into files.

The hackers undertook a sophisticated attack to infiltrate the protected files. Encryption is not an absolute guarantee to prevent criminals from gaining access.

All of that said, as part of our investigation and remediation efforts, we will continue to look for any opportunities to further strengthen and improve our physical and technical security measures.

What are the impacts on spouses and dependents? What are you doing to protect them?

As our investigation continues, spouses and dependents whose sensitive personal information was unlawfully accessed will receive an individual notification letter and be offered credit monitoring where warranted.

If you have additional concerns about a spouse with whom you have a joint bank account, we encourage you to speak to your bank about this.

 

Who is affected?

Notification letters will be sent to current, former and retired employees of TransLink and its subsidiaries whose sensitive personal information was found to be compromised. A limited number of spouses of retired employees will also be sent notification letters.

If TransLink identifies additional former or retired employees whose sensitive personal information has been compromised, it will send out further notification letters to those impacted individuals.

 

Credit monitoring and Fraud Protection Services

TransLink’s investigation has led it to believe that sensitive personal information has been compromised. TransLink will provide affected individuals with a notification letter detailing what specific sensitive personal information was compromised. To help mitigate any potential misuse of the sensitive personal information of affected individuals, TransLink is offering credit monitoring and fraud protection services.

Most companies offer one year of credit monitoring and fraud protection services when there has been a privacy breach. TransLink has offered two years of credit monitoring and fraud protection services for impacted individuals.

At this time, we are offering a two-year subscription to credit monitoring and fraud protection services for all current employees. Should you wish to subscribe for additional credit monitoring and fraud protection services, it is recommended that you wait until the two-year period is over before signing up for additional services. Any additional services will be at your own expense.

Why are affected individuals only receiving two years of credit monitoring?

The industry standard for credit monitoring services is for a period of one to two years, depending on the circumstances of the breach.

TransLink has decided to provide two years of credit monitoring through TransUnion. If you receive a notification letter, please follow the instructions on how to subscribe.

We are offering a two-year membership in credit monitoring and fraud prevention services to affected individuals. Upon completion of the enrollment process, you will have access to the following features:

  • Unlimited online access to the TransUnion Credit report, updated daily.

  • Unlimited online access to the TransUnion CreditVision® Risk score, with score factors and analysis updated daily.

  • TransUnion credit monitoring alerts with email notifications to key changes on a consumer’s credit file.

  • Unlimited access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention.

  • Identity theft insurance of up to $50,000 in coverage to protect against potential damages related to identity theft and fraud.

  • Dark Web Monitoring to provide monitoring of surface, social, deep, and dark websites for potentially exposed personal, identity and financial information in order to help protect consumers against identity theft.

Credit monitoring and fraud protection services do not stop identity theft or fraud from happening. It is used as a detection system to warn you of any suspicious activity that may impact your credit score. If you are alerted to credit activity that you did not authorize, contact the creditor immediately.

Why is TransLink using TransUnion and not both TransUnion and Equifax?

Equifax and TransUnion are credit monitoring agencies that provide very similar services, so having a subscription to both services wouldn’t be necessary.

Both agencies receive reports and updates from financial institutions relating to an individual’s credit files. They also both offer fraud alerts, which will encourage creditors or lenders to take extra steps to verify your identity before granting new credit.

The credit monitoring and fraud protection service being offered by TransLink is the TransUnion “My True Identity” service.

Although you may also have credit monitoring through another service provider, we strongly encourage you to sign up for the credit monitoring service TransLink is offering if you have received a notification letter and registration code.

If you ever believe you have been the victim of identity theft or have reason to believe your information is being misused, we urge you to immediately contact the police and file a police report. You can also contact the Canadian Anti-Fraud Centre at 1.888.495.8501 or visit antifraudcentre.ca. Make note of the police file number you are given in connection with the police report. If you see a fraudulent charge on your payment card, you should immediately contact the bank, credit union or other financial institution that issued your card. The phone number to call can be found on the back of the card. The bank, credit union or other financial institution might ask you if you have a police file number available, and you should provide it if you have it.

Credit monitoring and fraud protection services can alert you to suspicious activity on your credit file in time to stop it from happening. The package also includes identity theft insurance up to $50,000 to protect against potential damages in the event you are a victim of fraud. It is important to note that if your personal information was stolen, there is no certainty criminals will misuse your information, but there is a risk. A TransUnion two-year credit monitoring and fraud protection service subscription is offered to you free of charge. You are encouraged to sign up.

TransLink is offering credit monitoring and fraud prevention services in order to help protect you from falling victim to identity theft and fraud. However, receiving a notification letter or signing up for these services does not automatically mean you are the victim of identity theft. You should be vigilant about monitoring your credit report and your statements from your bank, credit card company and other financial institutions on a monthly basis. If you see transactions that you did not authorize, you should contact your financial institution immediately.

Warning signs vary but typical indicators may include:

  • Sudden and unwarranted changes to your credit score.

  • A notification from TransUnion indicating a change to your credit score, provided you have signed up for credit monitoring services.

  • Suspicious activity showing up in your credit report, such as accounts or inquiries from companies you do not recognize.

  • Unrecognized charges on your statements.

  • Bills received for items you did not purchase or apply for.

  • Credit card or other financial statements that you typically receive by mail stop showing up.

  • Collections agencies try to collect on defaulted accounts not opened by you.

  • Credit card providers or financial institutions advise you that they have approved or declined an application that you never submitted.

Please refer to this cyberattack resource for more information on steps you can take to protect yourself.

 

General Questions

In December 2020, TransLink was the target of a ransomware cyberattack on some of its IT infrastructure. TransLink employs a number of tools to prevent, identify and mitigate these types of attacks. Although TransLink has a robust cybersecurity program in place and conducts regular cybersecurity training, this incident shows that unfortunately no organization is immune. Upon detection, TransLink took immediate steps to isolate and shut down key IT assets and systems in order to contain the threat and reduce the impact on TransLink enterprise operations and infrastructure.

No customer payment information has been affected as a result of this cyberattack. TransLink does not store Compass fare payment information. We use a secure third-party processor for all fare transactions, and we do not have access to that data.

We are taking this cyberattack very seriously and must be meticulous, methodical, and thorough in our investigation. Unfortunately, this means the investigation will take some time to complete.

Once the attack was detected, we took swift and decisive steps to shut down nearly all our computing systems, to contain the threat. We immediately launched an investigation in early December, calling in third-party cybersecurity experts, as well as law enforcement agencies, to help investigate the attack and determine what information was accessed.

We have been working around the clock over the past three months to completely scrub our systems and remove any trace of the ransomware. At the same time, the I.T. team has also been working with third-party investigators to piece together exactly what folders, files, and information were accessed by the cybercriminals after they breached our security.

This investigation is a difficult, arduous, and painstaking process. It started when we became aware of the attack and will continue over the next few months. Many individuals across our enterprise, particularly on the I.T. team, have worked through holidays, weekends, and at all hours of the night to support the ongoing investigation.

The investigation has confirmed that attackers accessed a restricted network drive and copied files containing some personal information related to payroll and benefit administration for current employees of TransLink and its subsidiaries, some former and retired employees, and a limited number of spouses of retired employees. These restricted network drives held files that contained banking information and social insurance numbers.

TransLink will begin mailing personalized notification letters to individuals whose sensitive personal information was compromised starting in mid-February. We will also be offering those individuals complimentary two-year credit monitoring and fraud protection services.

TransLink has legal and operational requirements to retain personal information of former and retired employees for purposes such as pension and benefits administration and related tax reporting purposes.

Why would someone steal my personal information and what could they do with it?

The short answer? To sell it and make money. This is about financial gain.

Cyber criminals often steal personal information, such as Social Insurance Numbers and dates of birth, in the hopes that other criminals will buy that information on the dark web.

The dark web is an unregulated part of the internet that isn’t accessible to people using typical internet browsers or through a search engine. It’s where criminals exchange information to conduct illegal activities.

A criminal may buy someone’s private information to commit fraud by opening a credit card, making online purchases, or taking out a loan in their name.

Dark Web monitoring is an option you can opt into through the credit monitoring service offered by TransUnion. It can alert you if criminals are exchanging your personal information on the dark web so you can take action to prevent your information from being misused.

For instance, if you learn that your email address or an account number has been found on the dark web, you can update the password you use to log into that account to a new, unique and complex password.

Why does TransLink retain employee personal information on file for so long after the employee has departed?

TransLink has legal and operational requirements to retain the personal information of former and retired employees for purposes such as pension and benefits administration and for related tax reporting purposes.

For example, a retired employee’s file is retained for seven calendar years after the retiree passes away, which means their personal information may be on file for a significant amount of time.

How do you define what is considered “sensitive personal information”?

Information such as your name, your title, or any information that could normally be found on a business card, is not considered “personal information” under privacy laws.

Your home phone number may be personal information but there is generally no real risk of significant harm if it alone is compromised so it’s not typically “sensitive.”

“Sensitive personal information” in the context of a cyber breach is information about an identifiable individual that could cause significant harm to the individual if the information was compromised, such as identity theft or fraud.

Your social insurance number could pose a genuine risk of significant harm if compromised, so it is “sensitive.”

Why wasn’t my sensitive personal information protected? Why wasn’t all our sensitive information encrypted?

The folder in question was protected. It is a restricted folder which means that access was restricted to only the employees who required it for legitimate operational purposes, with strong identity management in place.

Data encryption is one but not the only method of protecting information. Due to how the cyberattack was executed, data encryption would not have prevented the attackers from breaking through or hacking into files.

The hackers undertook a sophisticated attack to infiltrate the protected files. Encryption is not an absolute guarantee to prevent criminals from gaining access.

All of that said, as part of our investigation and remediation efforts, we will continue to look for any opportunities to further strengthen and improve our physical and technical security measures.

What are the impacts on spouses and dependents? What are you doing to protect them?

As our investigation continues, spouses and dependents whose sensitive personal information was unlawfully accessed will receive an individual notification letter and be offered credit monitoring where warranted.

If you have additional concerns about a spouse with whom you have a joint bank account, we encourage you to speak to your bank about this.

Will TransLink be providing mental health support, such as access to the Employee & Family Assistance Program, to retired members and/or their spouses?

We appreciate this suggestion. We truly understand how distressing this situation is. We want to provide you with the support you need and are looking into whether we can provide this service to retirees during this time. Please watch for further information on this website.

 

Notification letters

TransLink will begin mailing personalized notification letters to those current, former and retired employees and a limited number of spouses of retired employees whose sensitive personal information was compromised, starting in the middle of February.

Starting the week of February 16, please contact the TransLink Incident Response Centre at 1.833.971.3283 to update your mailing address. You will be asked to provide certain information in order to verify your identity. We will reconcile the information you provide with the information in our records and will mail updated letters in due course.

TransLink is continuing with its investigation to determine what files may have been unlawfully accessed, including personal information. As the investigation is ongoing, it could reveal at any time that additional sensitive personal information was compromised. Should this happen, TransLink will continue to issue further notification letters to affected individuals. TransLink is following all the appropriate steps and guidelines set out by the Office of the Information and Privacy Commissioner for BC in these circumstances.

Notification letters will be issued to a limited number of spouses of retired employees whose sensitive personal information was found to be compromised.

If TransLink identifies additional spouses of retired employees whose sensitive personal information has been compromised, it will send out additional notification letters and will continue to do so until the investigation is complete.

 

Credit monitoring

TransLink is committed to offering a two-year subscription to credit monitoring and fraud protection services to all affected individuals where warranted based on an assessment of the nature of the compromised information. If you receive a notification letter, it will describe the specific sensitive personal information that was compromised and, if applicable, provide details on how to enroll in complimentary credit monitoring and fraud protection services with TransUnion.

Why are affected individuals only receiving two years of credit monitoring?

The industry standard for credit monitoring services is for a period of one to two years, depending on the circumstances of the breach.

TransLink has decided to provide two years of credit monitoring through TransUnion. If you receive a notification letter, please follow the instructions on how to subscribe.

Why did it take so long to offer credit monitoring and fraud protection to retired and former employees?

The investigation is ongoing, and we are uncovering information along the way. At the end of December, we learned that current employees of TransLink, CMBC and Transit Police were impacted. We later learned that employees of BCRTC were impacted. It wasn’t until recently that we learned that some former employees and retirees were also impacted.

Should you receive a personalized notification letter, it will describe the specific sensitive personal information that we have determined was compromised and provide instructions on how to enroll in complimentary credit monitoring and fraud protection services with TransUnion.

Typically, credit monitoring and fraud prevention services are provided when the compromised personal information has been confirmed. As the investigation only recently confirmed evidence that sensitive personal information of some former and retired employees of TransLink and its subsidiaries was unlawfully accessed, we are now extending credit monitoring and fraud protection services to all those affected.

Credit monitoring and fraud protection services does not stop identity theft or fraud from happening. It is used as a detection system to warn you of any suspicious activity that may impact your credit score. If you are alerted to credit activity that you did not authorize, contact the creditor immediately.

TransLink is offering credit monitoring and fraud prevention services to all current employees and affected retired and former employees in order to help protect you from potentially falling victim to identity theft and fraud. However, receiving a notification letter or being offered these services does not automatically mean you are the victim of identity theft. You should be vigilant about monitoring your credit report and statements from your bank, credit card company and other financial institutions on a monthly basis. If you see transactions that you did not authorize, you should contact your financial institution immediately.

If you ever believe you have been the victim of identity theft or have reason to believe your information is being misused, we urge you to immediately contact the police and file a police report. You can also contact the Canadian Anti-Fraud Centre at 1.888.495.8501, or visit antifraudcentre.ca. Make note of the police file number you are given in connection with the police report. If you see a fraudulent charge on your payment card, you should immediately contact the bank, credit union or other financial institution that issued your card. The phone number to call can be found on the back of the card. The bank, credit union or other financial institution might ask you if you have a police file number available, and you should provide it if you have it.

Warning signs vary but typical indicators may include:

  • Sudden and unwarranted changes to your credit score.

  • A notification from TransUnion indicating a change to your credit score, provided you have signed up for credit monitoring services.

  • Suspicious activity showing up in your credit report, such as accounts or inquiries from companies you do not recognize.

  • Unrecognized charges on your statements.

  • Bills received for items you did not purchase or apply for.

  • Credit card or other financial statements that you typically receive by mail stop showing up.

  • Collections agencies try to collect on defaulted accounts not opened by you.

  • Credit card providers or financial institutions advise you that they have approved or declined an application that you never submitted.

Why is TransLink using TransUnion and not both TransUnion and Equifax?

Equifax and TransUnion are credit monitoring agencies that provide very similar services, so having a subscription to both services wouldn’t be necessary.

Both agencies receive reports and updates from financial institutions relating to an individual’s credit files. They also both offer fraud alerts, which will encourage creditors or lenders to take extra steps to verify your identity before granting new credit.

The credit monitoring and fraud protection service being offered by TransLink is the TransUnion “My True Identity” service.

Although you may also have credit monitoring through another service provider, we strongly encourage you to sign up for the credit monitoring service TransLink is offering if you have received a notification letter and registration code.

TransLink takes this matter very seriously. In order to assist you with any questions you may have regarding this incident, TransLink has established a call centre specifically dedicated to answering questions. You can reach the TransLink Incident Response Centre at 1.833.971.3283 Monday to Friday from 7:30 a.m. to 5:00 p.m. PST (excluding statutory holidays). In addition, you can email cyberincident@translink.ca.


TransLink

new.translink.ca isn't supported in the browser version you're using. Please update your browser to the latest version, or use one of the following:

In the meantime you can visit the old TransLink website, use Live Chat or call Customer Information at 604.953.3333.