TransLink Cyber Incident

The person who wrote the personal cheque is not always the customer in our Access Transit program. In some instances, it is a family member, a friend, a loved one, or a care provider of a customer who wrote the cheque. If you wrote a cheque on behalf of a TaxiSaver customer, it is your information that was accessed.

TransLink moved quickly to launch an investigation into the cyberattack immediately upon detection. The privacy review has been a complex and time-consuming process that unfolded over the past several months, involving extensive analysis and manual data reviews.

We recently discovered this group was affected and have been notifying you as quickly as possible The review is now complete, and we are in a position to provide affected individuals with a complete list of all sensitive personal information that was unlawfully accessed.

We ask that you discuss these concerns with your bank and follow their recommendations.

TransLink is offering credit monitoring and fraud protection services as a precautionary measure. We urge you to take advantage of this offer as it will help protect you from many forms of fraud and identity theft.

Most customers purchase TaxiSavers through the mail and this method of payment is exclusively by cheque. However, the Compass Customer Service Centre at Stadium-Chinatown Station accepts cash, debit, and credit (but not cheques).

If an individual wrote a cheque for an Access Transit customer, the only information TransLink holds is whatever is printed on the personal cheque. TransLink does not record this information in any way separately from the cheque itself.

For an Access Transit customer, TransLink will have the application on file in a restricted folder. As the investigation into what the attackers accessed in the cyberattack is now complete, we can confirm that this information was not accessed during this cyber incident.

We recommend individuals connect with us to update their address. Once updated, we will re-issue the breach notification letter to the new address. For individuals who wrote a cheque for TaxiSavers for themselves or on behalf of someone else, and did not get a breach notification letter, please email cyberincident@translink.ca to let us know.

Please include in your email:

• Your name as it appeared on your cheque and your current address.

• Please also include your HandyCard number or, if you are not the customer, the customer's name and HandyCard number.

Upon receipt of your email, if we confirm that you were an impacted individual, we will send you a new breach notification letter to your updated mailing address. This process could take 10 to 15 business days.

As part of normal accounting and auditing processes, records are maintained and stored in restricted folders for accounting staff for a minimum of 7 years. Records of TaxiSaver purchases are included in this process, and scanned copies are maintained and stored in restricted folders for accounting staff.

Instances of cybercrime are on the rise globally. The fact that TransLink became a victim despite maintaining a robust cybersecurity program is evidence of how sophisticated these criminals are.  Even though we have many security measures in place to protect our systems and data, due to how the cyberattack was executed, data encryption would not have prevented the attackers from breaking through.

Prior to this attack, TransLink had invested in a robust security program with several additional security projects that were planned to begin in 2021. We will continue to pursue those projects and will also be making additional investments to further strengthen our safeguards and protect the security and confidentiality of sensitive personal information in light of evolving cybersecurity threats. We are continuing to review our existing policies, practices, training programs and physical and technical security measures as well, with a view and commitment to continuous improvement.  We have also taken the opportunity to further strengthen our systems as we bring them back online.

We have already begun to review our existing policies, practices, training programs, and physical and technical security measures. We will continue to look for any opportunities to further strengthen our safeguards.

We take the security of personal information within our care very seriously at TransLink.  We are continually investing in our security measures, particularly as cybersecurity threats continue to evolve.

We are also reviewing our existing policies, practices, training programs, and physical and technical security measures with a view and commitment to continuous improvement. Additionally, TransLink is looking at ways to work with business peers to share lessons learned and best practices to help prevent them from falling victim to future cyberattacks.

Our investigation has produced evidence that personal information has been compromised. Regrettably, attackers accessed and may have copied files from a restricted network drive that stores files containing some personal information that could potentially be misused by cybercriminals to commit fraud. As a precautionary measure, we are providing impacted TaxiSaver customers with credit monitoring and fraud protection services.

We previously offered a two-year subscription to credit monitoring for all active employees. Should you wish to subscribe for additional credit monitoring, it is recommended that you wait until the two-year period is over before signing up for additional credit monitoring. Any additional credit monitoring beyond what TransLink is providing will be at the employee’s option and expense.

TransLink is offering a two-year membership in credit monitoring and fraud prevention services to individuals whose sensitive personal information was unlawfully accessed by the cyberattackers. The service includes the following features:

• Unlimited online access to the TransUnion Credit report, updated daily.

• Unlimited online access to the TransUnion CreditVision® Risk score, with score factors and analysis updated daily.

• TransUnion credit monitoring alerts with email notifications to key changes on a consumer’s credit file.

• Unlimited access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention.

• Identity theft insurance of up to $50,000 in coverage to protect against potential damages related to identity theft and fraud.

• Dark Web Monitoring to provide monitoring of surface, social, deep, and dark websites for potentially exposed personal, identity and financial information in order to help protect consumers against identity theft.

Credit monitoring does not stop identity theft or fraud from happening. It is used as a detection system to warn you of any suspicious activity that may impact your credit score. If you are alerted to credit activity that you did not authorize, contact the creditor immediately.

If you ever believe you have been the victim of identity theft or fraud or have reason to believe your information is being misused, we urge you to immediately contact the police and file a police report. You can also contact the Canadian Anti-Fraud Centre at 1-888-495-8501, or by visiting http://www.antifraudcentre-centreantifraude.ca/.

Make note of the police file number you are given in connection with the police report. If you see a fraudulent charge on your payment card, you should immediately contact the bank, credit union or other financial institution that issued your card. The phone number to call can be found on the back of the card. The bank, credit union or other financial institution might ask you if you have a police file number available, and you should provide it if you have it.

TransUnion’s online credit monitoring and fraud prevention service will notify you by email of critical changes to your TransUnion Credit Report. Should you receive an email alert, you can review and validate the reported change by logging into the portal. This allows you to identify any potentially fraudulent activity on your TransUnion Credit Report.

Please refer to the cyber resource page for more information on steps you can take to protect yourself.

Several months ago, while the investigation was still in its earlier stages, we became aware that certain sensitive personal information had been unlawfully accessed. We moved quickly to notify affected individuals and offer credit monitoring and fraud protection services at that time, even though our investigation was still ongoing.

We then continued to undertake a comprehensive review of the accessed information. The review is now complete, and we are in a position to provide affected individuals with a complete list of all sensitive personal information that was unlawfully accessed.

TransLink moved quickly to launch an investigation into the cyberattack immediately upon detection. The privacy review has been a complex and time-consuming process that unfolded over the past several months, involving extensive analysis and manual data reviews.

TransLink utilized a process called e-discovery to assist us in identifying which files contain sensitive personal information. E-discovery is a two-step process. First, software tools are used to detect possible personal information in the files. Next, the files that have been identified as possibly containing personal information are manually reviewed individually to confirm that they contain sensitive personal information and to identify whose sensitive personal information is included. This process takes weeks or months, depending on the total number and size of all the files that need to be searched.

Instances of cybercrime are on the rise globally. Although TransLink has a robust cybersecurity program in place and conducts regular cybersecurity training for staff, this incident shows that unfortunately no organization is immune. It also confirms the need for continuous monitoring and improvement of our security measures.

Our I.T. Security program has been a top priority for the TransLink enterprise for many years and as part of that we have developed multi-year strategies and roadmaps for investing in I.T. security, infrastructure, and software. In recent years, we have continued to expand the program with investments in new systems and practices. We also conduct regular studies, audits, and exercises such as our annual maturity assessments, penetration tests, and compliance audits.

Prior to this attack, TransLink had several additional security projects that were planned to begin in 2021. We will continue to pursue those projects and will also be making additional investments to further strengthen our safeguards and protect the security and confidentiality of sensitive personal information in light of evolving cybersecurity threats. We are continuing to review our existing policies, practices, training programs and physical and technical security measures, with a view and commitment to continuous improvement. We have also taken the opportunity to further strengthen our systems as we bring them back online.

Over the past six months, Business Technology Services has taken many additional steps and measures to enhance our existing information security practices. These include:

• Implementing a red warning banner to identify external emails and risk

• Implementing a “Report Phishing” button at the top of emails

• Expanded use of multi-factor authentication for VPN

• Installing Carbon Black, Microsoft Defender and Cisco Security Umbrella to provide enhanced protection

• Continuing the regular patching of computer assets

• Installing additional vulnerability management agents, including Microsoft’s advanced threat protection tools, for continuous scanning and monitoring, to further leverage cyber security intelligence and be proactively alerted of potential threats

• Expanding our security controls to provide enhanced Cloud Security

All these investments and initiatives have been undertaken in addition to our annual awareness campaigns and the ongoing mandatory I.T. security awareness training and exercises for all employees.  Cybersecurity is a constantly moving target and we re-evaluate our objectives and targets every year.

We also work with an external review partner to update our plans, policies, and standards annually, to ensure we are doing as much as possible to stay ahead of the curve.  Employees continue to be reminded to remain vigilant and report any suspicious emails, links or attachments through Outlook’s Report Message feature or by forwarding the email to the Service Desk (servicedesk@translink.ca). Cybersecurity is everyone’s responsibility.

Finally, we are looking at ways to work with other public agencies, organizations, and businesses to share lessons learned from this incident, to help them avoid falling victim to future cyberattacks. We will all need to be ever vigilant.

Applications and systems recovery work is ongoing. Please note, as applications are recovered, some may have reduced functionality while others may not yet have been made available for general use by the business owner. A list of available applications and their current functionality can be found on sharepoint and will be updated weekly.

Some Enterprise Data Warehouse (EDW) and Business Intelligence (BI) systems and data are now available. An up-to-date dashboard for end-users communicating the recovery status is available to view.

TransLink is taking this incident very seriously. Dark web monitoring has been in place since the incident occurred. To date, TransLink is not aware of any misuse of the sensitive personal information accessed by the cyberattackers.

A ransom demand ($6M USD) was made when the attack first took place. In the end, TransLink made the decision to not make any ransom payments to the cybercriminals. There was no guarantee that these cybercriminals would keep their word and not misuse the personal information that they unlawfully accessed. We were also concerned that any payment to cybercriminals would embolden further attacks on us and other agencies. It was fortunate that we were able to restore our systems from backups, although recovery has certainly been a long and arduous process.

TransLink has legal and operational requirements to retain personal information of former and retired employees for purposes such as pension and benefits administration and for related tax reporting purposes.

For example, TransLink has a Records Classification and Retention Schedule which provides that a retired employee’s file is retained for 7 calendar years after the retiree dies and payment of claim is completed, benefits are exhausted, or a spouse or beneficiary dies.

Notification letters are expected to start arriving as early as the week of July 5, 2021. Timing will depend on Canada Post delivery times.

If you are a current employee and your address requires updating, for example, if your address is incorrect on your paystub or you have moved in the last 18 months, you can provide your updated address by emailing employee.benefits@translink.ca.

We previously advised that files containing banking information and social insurance numbers of current and former employees had been illegally accessed. With the investigation completed, we now advise that information related to salary or wage rates, deductions, and tax withholdings was also accessed by the cyberattackers.

For some former and current CMBC employees, records related to WorkSafeBC incidents were accessed. We can confirm that no occupational health records were accessed.   

Additionally, our investigation recently produced evidence that a restricted network drive that held personal cheques used to purchase TaxiSavers in our Access Transit Program, was unlawfully accessed.

You will receive a notification letter in the mail which outlines your sensitive personal information which has been accessed.

Whether you should change your banking information is your decision and we urge you to discuss this with your bank. When discussing this with your bank, you should let them know that TransLink does not have your banking account PIN or password.

If you are an employee of TransLink, Transit Police or CMBC and you wish to change your banking information, you may do so by sending your direct deposit changes to pay.inquiries@translink.ca from an internal corporate address, or by sending a hard copy to Payroll by internal mail (S755) or Canada Post, or by dropping it off at Sapperton. You will need to complete the direct deposit enrollment form. If you are a BCRTC or WCE employee, you may change your banking information by emailing payroll@bcrtc.bc.ca.

Notification letters will be sent to current, former and retired employees of TransLink and its subsidiaries, whose sensitive personal information was found to be compromised. A limited number of spouses will also be sent notification letters.

More than one restricted folder was accessed and each folder contained different information. That is why the information accessed for each of you may be different than another person’s and that is part of why those of you who are impacted have or will receive a personalized letter noting exactly what information we know was accessed.

A limited number of spouses have received privacy breach notification letters.

Privacy notification letters have been mailed to a very limited number of TransLink contractors.

Credit monitoring and fraud protection services were offered to current employees in December as a precautionary measure. Employees were reminded on several occasions to register for this service before the deadline. Since the sensitive personal information contained in the new records is not information that is typically used to commit fraud, additional credit monitoring will not be provided. If you have any questions, please contact cyberincident@translink.ca.

Unfortunately, the credit monitoring deadline for current employees expired in April. Access to registration codes for credit monitoring was available for several months prior to the expiry date and regrettably, the deadline cannot be extended. Employees were reminded on several occasions to register for this service before the deadline. If you have any questions, please contact cyberincident@translink.ca.

Our investigation has produced evidence that personal information has been compromised. Regrettably, attackers accessed and may have copied files from a restricted network drive that stores files containing some personal information that could potentially be misused by cybercriminals to commit fraud. As a precautionary measure, we previously provided impacted individuals with credit monitoring and fraud protection services.

Most companies offer one-year of credit monitoring when there has been a privacy breach. TransLink has offered two-years of credit monitoring for affected individuals. It can be confusing for individuals to receive reports from two separate credit agencies (such as TransUnion and Equifax). However, if someone has applied for credit in your name, most lenders will report that activity to both TransUnion and Equifax. That application will then be shown on the report you receive from TransUnion.

We previously offered a two-year subscription to credit monitoring for all active employees. Should you wish to subscribe for additional credit monitoring, it is recommended that you wait until the two-year period is over before signing up for additional credit monitoring. Any additional credit monitoring beyond what TransLink is providing will be at the employee’s option and expense.

We offered a two-year membership in credit monitoring and fraud prevention services to current and former employees who have been affected by the cyberattack. The service includes the following features:

• Unlimited online access to the TransUnion Credit report, updated daily.

• Unlimited online access to the TransUnion CreditVision® Risk score, with score factors and analysis updated daily.

• TransUnion credit monitoring alerts with email notifications to key changes on a consumer’s credit file.

• Unlimited access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention.

• Identity theft insurance of up to $50,000 in coverage to protect against potential damages related to identity theft and fraud.

• Dark Web Monitoring to provide monitoring of surface, social, deep, and dark websites for potentially exposed personal, identity and financial information in order to help protect consumers against identity theft.

Credit monitoring does not stop identity theft or fraud from happening. It is used as a detection system to warn you of any suspicious activity that may impact your credit score. If you are alerted to credit activity that you did not authorize, contact the creditor immediately.

If you ever believe you have been the victim of identity theft or fraud or have reason to believe your information is being misused, we urge you to immediately contact the police and file a police report. You can also contact the Canadian Anti-Fraud Centre at 1.888.495.8501, or by visiting antifraudcentre.ca.

Make note of the police file number you are given in connection with the police report. If you see a fraudulent charge on your payment card, you should immediately contact the bank, credit union or other financial institution that issued your card. The phone number to call can be found on the back of the card. The bank, credit union or other financial institution might ask you if you have a police file number available, and you should provide it if you have it.

TransUnion’s online credit monitoring and fraud prevention service will notify you by email of critical changes to your TransUnion Credit Report. Should you receive an email alert, you can review and validate the reported change by logging into the portal. This allows you to identify any potentially fraudulent activity on your TransUnion Credit Report.

Please refer to the cyberattack resource for more information on steps you can take to protect yourself.

Several months ago, while the investigation was still in its earlier stages, we became aware that certain sensitive personal information had been unlawfully accessed. We moved quickly to notify affected individuals and offer credit monitoring and fraud protection services at that time, even though our investigation was still ongoing.

We then continued to undertake a comprehensive review of the accessed information. The review is now complete, and we are in a position to provide affected individuals with a complete list of all sensitive personal information that was unlawfully accessed.

TransLink moved quickly to launch an investigation into the cyberattack immediately upon detection. The privacy review has been a complex and time-consuming process that unfolded over the past several months, involving extensive analysis and manual data reviews.

TransLink utilized a process called e-discovery to assist us in identifying which files contain sensitive personal information. E-discovery is a two-step process. First, software tools are used to detect possible personal information in the files. Next, the files that have been identified as possibly containing personal information are manually reviewed individually to confirm that they contain sensitive personal information and to identify whose sensitive personal information is included. This process takes weeks or months, depending on the total number and size of all the files that need to be searched.

TransLink is taking this incident very seriously. Dark web monitoring has been in place since the incident occurred. To date, TransLink is not aware of any misuse of the sensitive personal information accessed by the cyberattackers.

A ransom demand ($6M USD) was made when the attack first took place. In the end, TransLink made the decision to not make any ransom payments to the cybercriminals. There was no guarantee that these cybercriminals would keep their word and not misuse the personal information that they unlawfully accessed. We were also concerned that any payment to cybercriminals would embolden further attacks on us and other agencies. It was fortunate that we were able to restore our systems from backups, although recovery has certainly been a long and arduous process.

TransLink has legal and operational requirements to retain personal information of former and retired employees for purposes such as pension and benefits administration and for related tax reporting purposes.

For example, TransLink has a Records Classification and Retention Schedule which provides that a retired employee’s file is retained for 7 calendar years after the retiree dies and payment of claim is completed, benefits are exhausted, or a spouse or beneficiary dies.

TransLink has legal and operational requirements to retain personal information of former and retired employees for purposes such as pension and benefits administration, and tax reporting purposes. 

For example, TransLink has a Records Classification and Retention Schedule which provides that a retired employee’s file is retained for 7 calendar years after the retiree dies and payment of claim is completed, benefits are exhausted, or a spouse or beneficiary dies.

Notification letters are expected to start arriving as early as the week of July 5, 2021. Timing will depend on Canada Post delivery times.

If you are a former employee or retiree, please contact cyberincident@translink.ca to update your address. TransLink has a list of all those who received a letter so they can confirm if your information was compromised. They will be asking for information to confirm your identity.

We truly understand how distressing this situation is. TransLink is pleased to extend Homewood Health’s Employee & Family Assistance Program (EFAP) services to former employees, retirees, and eligible spouses who have been impacted by the recent cyberattack. EFAP services are available effective immediately up to Dec. 31, 2021.

The EFAP services provided by Homewood Health is a professional, confidential and proactive service to support a wide range of personal concerns such as dealing with stress, anxiety, life transitions/change, coping with health issues and more. There are also many other online health and wellness resources and tools available. The EFAP service is available 24 hours a day, seven days a week. Homewood Health can offer in-person or phone-in counselling services.

For more information, you can visit their website at homewoodhumansolutions.com or call Homewood Health at 1.800.663.1142 and please identify yourself as a former employee, retiree, or spouse of a former employee of TransLink, Coast Mountain Bus Company, BC Rapid Transit Company, or Metro Vancouver Transit Police.

We previously advised that files containing banking information and social insurance numbers of current and former employees had been illegally accessed. With the investigation completed, we now advise that information related to salary or wage rates, deductions, and tax withholdings was also accessed by the cyberattackers.

For some former and current CMBC employees, records related to WorkSafeBC incidents were accessed. We can confirm that no occupational health records were accessed.   

Additionally, our investigation recently produced evidence that a restricted network drive that held personal cheques used to purchase TaxiSavers in our Access Transit Program, was unlawfully accessed.

You will receive a notification letter in the mail which outlines your sensitive personal information which has been accessed.

Whether you should change your banking information is your decision and we urge you to discuss this with your bank. When discussing this with your bank, you should let them know that TransLink does not have your banking account PIN or password.

If you are a retiree and wish to change banking information relating to the administration of your pension, you will need to update your banking information through your Public Service Pension Plan. You have the option to update your banking information in your MyAccount or you can complete and submit a direct deposit form.

Please go to the Public Service Plan Website and search “how to manage banking information” for details or contact the Public Service Pension Plan directly. You will need your Person ID, found on your recent Retired Member statement, full name and date of birth to verify your account.

Notification letters will be sent to current, former and retired employees of TransLink and its subsidiaries, whose sensitive personal information was found to be compromised. A limited number of spouses will also be sent notification letters.

A limited number of spouses have received privacy breach notification letters.

Privacy notification letters have been mailed to a very limited number of TransLink contractors.

Credit monitoring and fraud protection services were offered to former and retired employees in the initial notification letters. Since the sensitive personal information contained in the new records is not information that is typically used to commit fraud, additional credit monitoring will not be provided. Access to codes for credit monitoring was available for several months prior to the expiry date. If you have any questions, please contact cyberincident@translink.ca.

The credit monitoring deadline for former and retired employees expires on June 30, 2021. Access to codes for credit monitoring was available for several months prior to the expiry date. If you have any questions, please contact cyberincident@translink.ca.

Our investigation has produced evidence that personal information has been compromised. Regrettably, attackers accessed and may have copied files from a restricted network drive that stores files containing some personal information that could potentially be misused by cybercriminals to commit fraud. As a precautionary measure, we previously provided impacted individuals with credit monitoring and fraud protection services.

Most companies offer one-year of credit monitoring when there has been a privacy breach. TransLink has offered two-years of credit monitoring for affected individuals. It can be confusing for individuals to receive reports from two separate credit agencies (such as TransUnion and Equifax). However, if someone has applied for credit in your name, most lenders will report that activity to both TransUnion and Equifax. That application will then be shown on the report you receive from TransUnion.

We previously offered a two-year subscription to credit monitoring for all active employees. Should you wish to subscribe for additional credit monitoring, it is recommended that you wait until the two-year period is over before signing up for additional credit monitoring. Any additional credit monitoring beyond what TransLink is providing will be at the employee’s option and expense.

We offered a two-year membership in credit monitoring and fraud prevention services to current and former employees who have been affected by the cyberattack. The service includes the following features:

• Unlimited online access to the TransUnion Credit report, updated daily.

• Unlimited online access to the TransUnion CreditVision® Risk score, with score factors and analysis updated daily.

• TransUnion credit monitoring alerts with email notifications to key changes on a consumer’s credit file.

• Unlimited access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention.

• Identity theft insurance of up to $50,000 in coverage to protect against potential damages related to identity theft and fraud.

• Dark Web Monitoring to provide monitoring of surface, social, deep, and dark websites for potentially exposed personal, identity and financial information in order to help protect consumers against identity theft.

Credit monitoring does not stop identity theft or fraud from happening. It is used as a detection system to warn you of any suspicious activity that may impact your credit score. If you are alerted to credit activity that you did not authorize, contact the creditor immediately.

If you ever believe you have been the victim of identity theft or fraud or have reason to believe your information is being misused, we urge you to immediately contact the police and file a police report. You can also contact the Canadian Anti-Fraud Centre at 1.888.495.8501, or by visiting antifraudcentre.ca.

Make note of the police file number you are given in connection with the police report. If you see a fraudulent charge on your payment card, you should immediately contact the bank, credit union or other financial institution that issued your card. The phone number to call can be found on the back of the card. The bank, credit union or other financial institution might ask you if you have a police file number available, and you should provide it if you have it.

TransUnion’s online credit monitoring and fraud prevention service will notify you by email of critical changes to your TransUnion Credit Report. Should you receive an email alert, you can review and validate the reported change by logging into the portal. This allows you to identify any potentially fraudulent activity on your TransUnion Credit Report.

Please refer to the cyberattack resource for more information on steps you can take to protect yourself.