The breach will force the library’s 22 locations to go analog until further notice
With the Calgary Public Library poised to reopen all its locations on Wednesday, questions remain as to what caused the cyber breach and what, if any, information was compromised.
The security breach led to a shutdown of all of the library’s 22 branches on Friday, after the organization’s IT security consultants advised CPL of the incident.
On Tuesday, CPL communications director Mary Kapusta said the shutdown was required as part of their investigation and containment procedures.
“What we can confirm right now is that cybersecurity breach occurred and that compromised a server, and so systems that were related had to come down,” she explained.
The procedure to turn things off and slowly bring them back online as they are deemed secure is where “disruption to service is significant,” said Kapusta. “We felt we had to do it just out of an abundance of caution.”
Library users were also encouraged previously to reset any passwords that are the same or similar to CPL account passwords, with “an abundance of caution” being cited.
It is still not clear how the breach occurred, or what data — if any — was compromised.
The library is committed to sharing what they can as soon as they have answers, according to Kapusta.
“We do know that (the) privacy and the data component is top of mind, so we’re working to get some answers,” she said.
“Our technology teams are working pretty long days with our security consultants to first contain the issue and bring services back as it is secure to do so,” she said.
After that, it turns to the scale or impact of the incident and how it happened, Kapusta said.
The investigation remains in the early stages, part of which will be to understand some of the motivations or intent of the attack. Kapusta wasn’t clear as to whether CPL had been in contact with any supposed perpetrators of the breach.
“Our investigation may involve police at some point, but right now, there is not a criminal investigation that we have initiated,” she said.
“When we share information, we want to make sure that it is credible and correct. So we need a little bit more time for those security teams to understand what occurred and maybe the scale of that impact.”
Timeline for ‘business as usual’ uncertain
In terms of a timeline for when service is back to “business as usual,” Kapusta didn’t give a firm date, but remains optimistic as more services come online.
“We’re still not out of the woods, we’re still slowly coming back to that service and containment is ongoing,” Kapusta said.
The shift to analog means physical checkouts and a lot of pens to paper, “but I think we want to keep moving and certainly get back to serving Calgarians.”
An IT security expert was quick to commend the Calgary Public Library for reopening so quickly, saying their heart’s in the right place in wanting to get the branches open.
“It is astute of them to reopen it, as opposed to just keeping the place locked until they get everything perfect,” said Dr. Tom Keenan, a professor at the University of Calgary on Tuesday.
Speaking generally, he said the “worst case scenario” should always be thought about in data security.
“So of course, the Calgary Public Library needs to go through and improve their security,” he said. “The library probably, you know, would benefit from a cleanup of some data that they don’t need anymore.”
Reading between the lines of users being “encouraged” to reset passwords, he said “that says that usernames and passwords were compromised; I mean, that’s a hint.”
He noted that CPL’s advice is sound, and advised against using similar passwords between multiple different accounts.
“The bad guys don’t just try the password that they get. They know that we use these patterns and stuff like that.”
Keenan advised that people practice good “password hygiene” with password managers and automatically generate strong passwords.
— With files from Matt Scace and Scott Strasser