Lessons from Toronto Zoo Ransomware

The Toronto Zoo was hacked in late 2023, and they went public with the breach in January 2024. This is the follow-up press release on the efforts they have made to deal with it, it's a model of public address.

By contrast, consider the 2017 Equifax data breach. Although Equifax did make a public statement on the breach, several glaring errors in so doing are apparent to us in retrospect:

(sic, from Wikipedia)

• Equifax did not immediately disclose whether PINs and other sensitive information were compromised
• Equifax did not explain the delay between its discovery of the breach in July and its public announcement in early September
• It was also revealed that three Equifax executives sold almost $1.8 million of their personal holdings of company shares days after Equifax discovered the breach but more than a month before the breach was made public. This would not have been an as readily accessible option had the breach been disclosed in a more appropriate window.

For most of us working in less public arenas, "press release" is a dramatic term, but a statement about an incident is required more often than one would think. It is vitally important for custodians of disaster recovery processes understand why statements on breaches, other cyber incidents, and disasters are essential. It is also just as important to know how to do them well.

1. All companies with a web presence make public announcements. A company may not be legally required to make a public statement to media on a cyber incident, but most companies have an online presence and may need to address the problem in a public space regardless of public exposure. If your business Tweets, makes BlueSky posts, has a public blog, sends out email newsletters, runs a Discord server, or makes Facebook posts in the local town page, the silence of not posting an announcement can be damaging.
2. Sometimes "Press Releases" are internal. Preparing a statement is more than communication with the public, we often must craft messages to clients who rely on our services during emergencies. Or other departments. Or leadership. Be prepared, create template messages for outages and downtimes.
3. Transparency is always the best policy. We have studied this. We have witnessed the outcomes of trying to handle it "in-house" or otherwise contain the problem. The evidence comes back time and time again to reinforce that owning up to the issue as soon as possible reduces damage by public perception.
4. Build public statements into your DR planning. Nothing says "We're unprepared" like a fumbled statement or several emails to the company with conflicting information. Get some templates. Review them with leadership. If you have a legal team, review your communications templates with them. Have your material on hand so you don't need to stress about format and tone during a crisis.

Handle the problem with diplomacy and respect to privacy, but handle it fast and handle it transparently. Own your organization, own your breaches and be responsible for stewardship of your data.