The Toronto Public Library says around 4,100 cardholders, donors and unsuccessful job applicants who had dealings with the library between 2010 and 2023 may have been impacted by a data breach resulting from last year's high-profile cybersecurity attack on the library system.
That's according to a final report the library released Monday, outlining its efforts since it first discovered the attack on its systems in October 2023.
"We have done extensive data forensics to determine the scope of the data breach and to notify those affected," the TPL said in a statement.
"We have now completed this investigation and are providing our final notification to those who may have had some data exposed."
The library said breached data included contact information (street address, email address, phone number), date of birth, library card number, school information and physical descriptions and/or photo images (in incident reports).
The exposed information also identified some individuals as having filed a complaint, the library said.
People who submitted an access request or made a donation to special collections may also have been exposed.
The library announced the privacy breach on Nov. 15, 2023, indicating personal data was stolen from a compromised file server.
The TPL said at the time it believed current and former staff employed by the library and the Toronto Public Library Foundation from 1998 were impacted.
The library said it offered credit monitoring to those staff "given the nature of the exposed information."
Cardholder, volunteer and donor databases were not affected. However, some data about these groups resided on the file server, the TPL said.
TPL began its data analysis last November, which it called a time-consuming process that involved working with an outside vendor.
Based on this work, TPL said it was able to directly notify dependents and family members of employees in March and a group of affected cardholders and other individuals in July and again last month.
"As we conclude our response with this notification, we would also like to express our heartfelt gratitude to our employees and our community members for their patience, understanding and ongoing support as we worked through this challenge together,' said the TPL, which said it embraced transparency throughout its response.
The cyberattack downed TPL’s website for three months, from late October 2023 until the end of this January.
The incident severely limited the services the library could provide during that period and stranded one million books in truck storage that could not be reshelved until the system was back up and running.
TPL said it has "embraced transparency" throughout its response. The Office of the Information and Privacy Commissioner of Ontario is also investigating the incident.
If you are concerned that your data may have been breached, you can email [email protected].
