In an attempt to better manage events across the city, Toronto police said mission plans and real-time locations of on-duty officers are being uploaded to the cloud, raising questions about the system’s safety from cyber attacks.
The project was first developed for Taylor Swift’s Eras Tour, according to Toronto Police Service (TPS) spokesperson Nadine Ramadan. She said the system is now being used “for all events in the form of a pilot.”
The system runs on Microsoft SharePoint, a cloud-based service that allows organizations to share information internally. SharePoint sites can be viewed through the internet but, unlike a normal website, there are typically strict restrictions on who has access.
TPS officers working an event can access the SharePoint site by scanning a QR code on their work-issued phones, according to a video demonstration of the system presented in December.
From there, officers have access to the “full operational plan,” training constable Derek Ma said in the video. The plans include “radio channels, parade sheets, reporting locations [and] maps,” he said.
As operation plans change, TPS officers can navigate back to the SharePoint site while in the field. Ma said this helps reduce miscommunications because officers working the events have direct access to the plans instead of having to seek out a supervisor.
The pilot project was hailed as a modernization effort to improve police efficiency at a Toronto Police Service Board meeting last month.
Notably, the SharePoint site gives officers in the field access to the real-time locations of their colleagues working the event, Ramadan confirmed to TorontoToday. When asked why this was necessary, Ramadan said the purpose is to provide officers with greater “situational awareness.”
TorontoToday asked TPS what security measures are in place to protect the SharePoint site from being accessed by those outside law enforcement. SharePoint already offers a number of optional security measures like multi-factor authentication (MFA) and automatic sign-outs from the site after a certain period of inactivity.
Ramadan said TPS could not share details about its cybersecurity measures “due to security reasons.”
“What I can tell you is that all our systems use robust authentication and security procedures to keep information safe,” she added.
While SharePoint is generally considered to be a secure platform, most cybersecurity experts agree that no web-based application is 100 per cent safe. That risk is compounded in this case because it appears a large number of officers will have access to the SharePoint site through their work phones which are being brought into the field.
Troy Leach, the chief strategy officer of the non-profit group Cloud Security Alliance, told TorontoToday he couldn’t directly comment on how safe TPS’ SharePoint system is without further details about its security features. However, he did recommend the real-time location of officers not be shared widely.
A staff sergeant, for instance, should have more privileged access to the SharePoint site, Leach said.
“Not every constable needs to know the whereabouts of every other constable,” he justified.
Leach noted a large proportion of cybersecurity incidents and breaches can be traced back to “misconfigurations,” in other words, setting up a system in a way that creates vulnerabilities.
A SharePoint site can be misconfigured by not requiring MFA or giving too many users access to too much information.
Microsoft itself published a report in 2023 that found most users of the company’s cloud products “are greatly over-permissioned, putting organizations’ critical environments at risk.”
This year, about 10 per cent of reported cybersecurity incidents involved a misconfiguration of some sort, according to Verizon’s 2024 Data Breach Investigations Report.
Leach said TPS should strictly monitor who has access to the SharePoint site and recommended that officers’ access be revoked as soon as they’re off the clock. He also suggested TPS have a process in place to remotely lock a device in the event an officer’s phone is stolen to prevent police plans and locations from falling into the wrong hands.
For law enforcement, there is an even greater responsibility to secure systems with sensitive information because of how often agencies are targeted, Leach noted.
“There is a consistent threat to law enforcement systems,” Leach said. “[They] have to have a higher level of security than most enterprise businesses would ever consider.”
In February 2024, the Royal Canadian Mounted Police (RCMP) were the victims of an “alarming” cyber attack. Few details of the incident have been publicly released but the RCMP said at the time there was “no impact on RCMP operations and no known threat to the safety and security of Canadians.”
Just last week, Kingston police revealed a cybersecurity incident impacted its IT systems. Again, few details were made public.
Law enforcement agencies aren’t the only institutions being targeted by hackers. In the last 16 months, the Toronto Public Library, the Toronto Zoo and the Art Gallery of Ontario have all faced cyber attacks.
Most recently, the Toronto District School Board advised parents of a cybersecurity incident involving PowerSchool, an online platform used to store student information.
