The TTC has hired a one of the country’s leading legal experts in cyber security incidents to help co-ordinate its response to the ransomware attack it suffered two weeks ago, the Star has learned.
Sunny Handa is a Montreal-based partner at Blake, Cassels & Graydon LLP and is considered one of Canada’s most prominent “breach counsels,” a term for lawyers who guide organizations through ransomware negotiations and related security incidents. He’s served for more than 100 clients whose networks have been compromised, and has advised taking a businesslike approach to negotiating with criminal cyber gangs.
TTC spokesperson Stuart Green would neither confirm nor deny the agency had retained Handa’s services or reveal how much it is paying him. Handa also declined a request for comment. But a source with knowledge of the TTC’s handling of the case confirmed that Handa had been brought on board.
Since Oct. 28, the transit agency has been grappling with effects of a reported ransomware attack, a type of cyber crime that usually involves hackers breaking into an organization’s computer network and encrypting key systems, then demanding a ransom payment to restore access to them.
The TTC said the attack resulted in the shutdown of several important internal and customer-facing systems, including the communication network transit control uses to talk to operators, next vehicle arrival information, the Wheel-Trans online booking system, and the agency’s email network.
The TTC has been able to bring some of the affected systems back online, but the problems have not been fully resolved. On Monday the agency revealed the personal information of up to 25,000 current and former employees may have been compromised in the security breach.
Without confirming who the agency had hired, Jaye Robinson, city councillor for Ward 15—Don Valley West and Chair of the TTC, acknowledged the hack was so serious the agency needed to bring in outside help.
“The skill set and the level of expertise required goes beyond the management of the TTC,” she said in an interview. The experts the agency has retained are leaders in their field who are “helping us investigate the incident and helping us restore our systems, in conjunction with TTC staff.”
Although Handa wouldn’t answer questions Wednesday about the TTC case, he has previously talked about the strategy he recommends for negotiating with hackers, and explained how hiring a lawyer like him can keep organizations from being successfully sued after they suffer a cyber security breach.
In an interview with the Star’s This Matters podcast in July, he said it’s often best to adopt a professional, businesslike posture when negotiating with the criminals who have infiltrated an organization’s systems, even if the leaders at the victimized entity can find it difficult.
“The leverage is all on the side of the hackers usually” so “there is no value to be had by becoming dramatic,” Handa said.
“It’s about having a conversation. We have a business objective to get to. How do we get to that business objective?”
According to a report published by Handa’s firm earlier this year, more than half of ransomware victims end up paying the ransom. Roughly 60 per cent of payments, which are made using cryptocurrency, were more than $100,000 (U.S.). The TTC has not released any information on any ransom demand from last month’s attack.
Handa also told This Matters that while it might seem more obvious for an organization to hire an IT professional to lead their response to a cyber attack, bringing in a breach counsel, also known as a breach coach, offers a layer of legal protection against subsequent lawsuits.
“When you’re in a breach situation it could lead to litigation, you could get sued for all sorts of different issues. For maybe not employing sufficient protection, for losing control of people’s data,” Handa explained.
An attorney retained by an compromised organization can hire IT experts, who report any information about the breach and what the organization could have done to prevent it to the lawyer. That information then becomes protected by attorney-client privilege. Handa explained the goal is that if someone later sues the affected organization over the breach, the plaintiff “can’t necessarily get access to that report or what’s in there.”
The TTC wouldn’t answer the Star’s questions about whether any investigation into the ransomware attack involving Handa will be privileged, or whether it would commit to making such an investigation public.