TransLink Cyber Incident
What happened
In December 2020, TransLink was the victim of a cyberattack. Upon detection, we took immediate action to shut down multiple computer systems as a protective measure and launched an investigation.
Over the course of the investigation, we worked tirelessly with cybersecurity experts to understand what happened and determine what information was unlawfully accessed. We also worked with law enforcement authorities and notified the Office of the Information and Privacy Commissioner for BC.
This investigation has been a complex and time-consuming process that took months to complete. It involved extensive analysis, the use of e-discovery tools, and manual data reviews.
The privacy review concluded in June 2021.
Who is affected
The cyberattackers unlawfully accessed restricted network folders that held sensitive personal information.
We have been monitoring the situation closely and, so far, we are not aware of any misuse of sensitive personal information that was accessed during this incident.
Employee data
The attackers unlawfully accessed a restricted network drive that contained sensitive personal information related to payroll and benefits administration. These files included banking information and social insurance numbers.
This drive contained the sensitive personal information of current, past and retired employees of TransLink, Coast Mountain Bus Company, BC Rapid Transit Company, West Coast Express, and Transit Police, and a limited number of spouses.
Payment cheques for TaxiSaver customers
Investigators recently confirmed the attackers unlawfully accessed a restricted network folder that held scans of personal cheques, written to purchase TaxiSavers in our Access Transit Program.
The individual who wrote the cheque is not always the Access Transit customer. In some instances, it is a family member, a friend, or a care provider of a customer in our Access Transit Program who wrote the cheque.
No Compass customer payment data was accessed
We want to reassure our customers that their Compass fare payment information has not been affected. TransLink does not store this information. We use a secure third-party processor for all fare transactions, and we do not have access to that data.
How will I know if I am affected?
We are mailing breach notification letters to individuals whose sensitive personal information was unlawfully accessed.
The letter will describe what sensitive personal information was impacted and will outline steps you can take to protect yourself from potential risks.
What lessons did TransLink learn?
Cyberattacks are an emerging global threat to public and private businesses across all sectors. We are continually looking at measures to strengthen our security, particularly as cybersecurity threats continue to evolve.
We will be reviewing our existing policies, practices, training programs, and physical and technical security measures with a view and commitment to continuous improvement.
We are also looking at ways to work with our business peers to share lessons learned and best practices to help them avoid falling victim to future cyberattacks.
More Information
We have prepared some resources below that aim to answer questions you may have.
If you have additional questions, you can also email cyberincident@translink.ca.
Cyber Incident Information Sessions
TaxiSaver customers
Join us for a special 30-minute Virtual Information Session to hear from TransLink executives and Danny Timmins, National Cybersecurity Leader at MNP LLP, one of the largest business advisory firms in the country.
Cyber Incident Information Session – March 2, 2021
On Tuesday, March 2, TransLink held two virtual Cyber Incident Information Sessions for former, retired and current employees of TransLink, BCRTC, CMBC and Transit Police to provide an update on the recent cyberattack, the ongoing investigation into the incident, and how it impacts all of us.
During the Information Session, attendees heard from Danny Timmins, National Cybersecurity Leader at MNP LLP, one of the largest business advisory firms in the country. They also heard from Timothy Walsh who is the Vice President of Breach and Cyber Risk Solutions at TransUnion. In addition to Danny and Timothy, there were also representatives from the leadership teams of TransLink, CMBC, BCRTC, and Transit Police on the call.
If you were unable to join either session on March 2, you can watch the hour-long video below.
FAQs
FAQs for TaxiSaver Customers
I am not a TransLink TaxiSaver customer. Why am I receiving this letter?
The person who wrote the personal cheque is not always the customer in our Access Transit program. In some instances, it is a family member, a friend, a loved one, or a care provider of a customer who wrote the cheque. If you wrote a cheque on behalf of a TaxiSaver customer, it is your information that was accessed.
Why did it take so long to find this out?
TransLink moved quickly to launch an investigation into the cyberattack immediately upon detection. The privacy review has been a complex and time-consuming process that unfolded over the past several months, involving extensive analysis and manual data reviews.
We recently discovered this group was affected and have been notifying you as quickly as possible The review is now complete, and we are in a position to provide affected individuals with a complete list of all sensitive personal information that was unlawfully accessed.
Should I change my bank account information?
We ask that you discuss these concerns with your bank and follow their recommendations.
Why is TransLink offering credit monitoring and fraud protection services?
TransLink is offering credit monitoring and fraud protection services as a precautionary measure. We urge you to take advantage of this offer as it will help protect you from many forms of fraud and identity theft.
Is there any other way to pay for TaxiSavers?
Most customers purchase TaxiSavers through the mail and this method of payment is exclusively by cheque. However, the Compass Customer Service Centre at Stadium-Chinatown Station accepts cash, debit, and credit (but not cheques).
What other personal information does TransLink maintain on Access Transit customers?
If an individual wrote a cheque for an Access Transit customer, the only information TransLink holds is whatever is printed on the personal cheque. TransLink does not record this information in any way separately from the cheque itself.
For an Access Transit customer, TransLink will have the application on file in a restricted folder. As the investigation into what the attackers accessed in the cyberattack is now complete, we can confirm that this information was not accessed during this cyber incident.
What if affected individuals have moved or changed address? How will they receive a notification letter?
We recommend individuals connect with us to update their address. Once updated, we will re-issue the breach notification letter to the new address. For individuals who wrote a cheque for TaxiSavers for themselves or on behalf of someone else, and did not get a breach notification letter, please email cyberincident@translink.ca to let us know.
Please include in your email:
-
Your name as it appeared on your cheque and your current address.
-
Please also include your HandyCard number or, if you are not the customer, the customer's name and HandyCard number.
Upon receipt of your email, if we confirm that you were an impacted individual, we will send you a new breach notification letter to your updated mailing address. This process could take 10 to 15 business days.
Why does TransLink keep copies of cheques on record?
As part of normal accounting and auditing processes, records are maintained and stored in restricted folders for accounting staff for a minimum of 7 years. Records of TaxiSaver purchases are included in this process, and scanned copies are maintained and stored in restricted folders for accounting staff.
Doesn’t TransLink have cybersecurity measures in place?
Instances of cybercrime are on the rise globally. The fact that TransLink became a victim despite maintaining a robust cybersecurity program is evidence of how sophisticated these criminals are. Even though we have many security measures in place to protect our systems and data, due to how the cyberattack was executed, data encryption would not have prevented the attackers from breaking through.
Prior to this attack, TransLink had invested in a robust security program with several additional security projects that were planned to begin in 2021. We will continue to pursue those projects and will also be making additional investments to further strengthen our safeguards and protect the security and confidentiality of sensitive personal information in light of evolving cybersecurity threats. We are continuing to review our existing policies, practices, training programs and physical and technical security measures as well, with a view and commitment to continuous improvement. We have also taken the opportunity to further strengthen our systems as we bring them back online.
We have already begun to review our existing policies, practices, training programs, and physical and technical security measures. We will continue to look for any opportunities to further strengthen our safeguards.
What are you doing to ensure this doesn’t happen again and can I trust TransLink to keep my personal information safe going forward?
We take the security of personal information within our care very seriously at TransLink. We are continually investing in our security measures, particularly as cybersecurity threats continue to evolve.
We are also reviewing our existing policies, practices, training programs, and physical and technical security measures with a view and commitment to continuous improvement. Additionally, TransLink is looking at ways to work with business peers to share lessons learned and best practices to help prevent them from falling victim to future cyberattacks.
Credit Monitoring
Why is TransLink offering credit monitoring and fraud protection services?
Our investigation has produced evidence that personal information has been compromised. Regrettably, attackers accessed and may have copied files from a restricted network drive that stores files containing some personal information that could potentially be misused by cybercriminals to commit fraud. As a precautionary measure, we are providing impacted TaxiSaver customers with credit monitoring and fraud protection services.
Can we sign up for more than two years of credit monitoring?
We previously offered a two-year subscription to credit monitoring for all active employees. Should you wish to subscribe for additional credit monitoring, it is recommended that you wait until the two-year period is over before signing up for additional credit monitoring. Any additional credit monitoring beyond what TransLink is providing will be at the employee’s option and expense.
What specifically is included in TransUnion’s credit monitoring and fraud protection service package?
-
Unlimited online access to the TransUnion Credit report, updated daily.
-
Unlimited online access to the TransUnion CreditVision® Risk score, with score factors and analysis updated daily.
-
TransUnion credit monitoring alerts with email notifications to key changes on a consumer’s credit file.
-
Unlimited access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention.
-
Identity theft insurance of up to $50,000 in coverage to protect against potential damages related to identity theft and fraud.
-
Dark Web Monitoring to provide monitoring of surface, social, deep, and dark websites for potentially exposed personal, identity and financial information in order to help protect consumers against identity theft.
TransLink is offering a two-year membership in credit monitoring and fraud prevention services to individuals whose sensitive personal information was unlawfully accessed by the cyberattackers. The service includes the following features:
If I sign up credit for monitoring, will this stop fraudulent activity from happening to me?
Credit monitoring does not stop identity theft or fraud from happening. It is used as a detection system to warn you of any suspicious activity that may impact your credit score. If you are alerted to credit activity that you did not authorize, contact the creditor immediately.
What should I do if my credit is compromised or there is fraudulent activity? Will I be responsible for the charges? / What do I do if I believe I am a victim of identity theft? / What do I do if I believe my information is compromised?
If you ever believe you have been the victim of identity theft or fraud or have reason to believe your information is being misused, we urge you to immediately contact the police and file a police report. You can also contact the Canadian Anti-Fraud Centre at 1-888-495-8501, or by visiting http://www.antifraudcentre-centreantifraude.ca/.
Make note of the police file number you are given in connection with the police report. If you see a fraudulent charge on your payment card, you should immediately contact the bank, credit union or other financial institution that issued your card. The phone number to call can be found on the back of the card. The bank, credit union or other financial institution might ask you if you have a police file number available, and you should provide it if you have it.
How will I know if my information was used by someone else? How will I know if I am the victim of fraud?
TransUnion’s online credit monitoring and fraud prevention service will notify you by email of critical changes to your TransUnion Credit Report. Should you receive an email alert, you can review and validate the reported change by logging into the portal. This allows you to identify any potentially fraudulent activity on your TransUnion Credit Report.
Besides credit monitoring, what other steps can I take to protect myself?
Please refer to the cyber resource page for more information on steps you can take to protect yourself.
FAQs for Current Employees
General Questions
Why am I receiving another privacy notification letter?
Several months ago, while the investigation was still in its earlier stages, we became aware that certain sensitive personal information had been unlawfully accessed. We moved quickly to notify affected individuals and offer credit monitoring and fraud protection services at that time, even though our investigation was still ongoing.
We then continued to undertake a comprehensive review of the accessed information. The review is now complete, and we are in a position to provide affected individuals with a complete list of all sensitive personal information that was unlawfully accessed.
Why did it take so long to complete the investigation?
TransLink moved quickly to launch an investigation into the cyberattack immediately upon detection. The privacy review has been a complex and time-consuming process that unfolded over the past several months, involving extensive analysis and manual data reviews.
TransLink utilized a process called e-discovery to assist us in identifying which files contain sensitive personal information. E-discovery is a two-step process. First, software tools are used to detect possible personal information in the files. Next, the files that have been identified as possibly containing personal information are manually reviewed individually to confirm that they contain sensitive personal information and to identify whose sensitive personal information is included. This process takes weeks or months, depending on the total number and size of all the files that need to be searched.
What specific security measures is TransLink implementing to prevent future cyberattacks?
Instances of cybercrime are on the rise globally. Although TransLink has a robust cybersecurity program in place and conducts regular cybersecurity training for staff, this incident shows that unfortunately no organization is immune. It also confirms the need for continuous monitoring and improvement of our security measures.
Our I.T. Security program has been a top priority for the TransLink enterprise for many years and as part of that we have developed multi-year strategies and roadmaps for investing in I.T. security, infrastructure, and software. In recent years, we have continued to expand the program with investments in new systems and practices. We also conduct regular studies, audits, and exercises such as our annual maturity assessments, penetration tests, and compliance audits.
Prior to this attack, TransLink had several additional security projects that were planned to begin in 2021. We will continue to pursue those projects and will also be making additional investments to further strengthen our safeguards and protect the security and confidentiality of sensitive personal information in light of evolving cybersecurity threats. We are continuing to review our existing policies, practices, training programs and physical and technical security measures, with a view and commitment to continuous improvement. We have also taken the opportunity to further strengthen our systems as we bring them back online.
Over the past six months, Business Technology Services has taken many additional steps and measures to enhance our existing information security practices. These include:
-
Implementing a red warning banner to identify external emails and risk
-
Implementing a “Report Phishing” button at the top of emails
-
Expanded use of multi-factor authentication for VPN
-
Installing Carbon Black, Microsoft Defender and Cisco Security Umbrella to provide enhanced protection
-
Continuing the regular patching of computer assets
-
Installing additional vulnerability management agents, including Microsoft’s advanced threat protection tools, for continuous scanning and monitoring, to further leverage cyber security intelligence and be proactively alerted of potential threats
-
Expanding our security controls to provide enhanced Cloud Security
All these investments and initiatives have been undertaken in addition to our annual awareness campaigns and the ongoing mandatory I.T. security awareness training and exercises for all employees. Cybersecurity is a constantly moving target and we re-evaluate our objectives and targets every year.
We also work with an external review partner to update our plans, policies, and standards annually, to ensure we are doing as much as possible to stay ahead of the curve. Employees continue to be reminded to remain vigilant and report any suspicious emails, links or attachments through Outlook’s Report Message feature or by forwarding the email to the Service Desk (servicedesk@translink.ca). Cybersecurity is everyone’s responsibility.
Finally, we are looking at ways to work with other public agencies, organizations, and businesses to share lessons learned from this incident, to help them avoid falling victim to future cyberattacks. We will all need to be ever vigilant.
What systems have been affected and restored?
Applications and systems recovery work is ongoing. Please note, as applications are recovered, some may have reduced functionality while others may not yet have been made available for general use by the business owner. A list of available applications and their current functionality can be found on sharepoint and will be updated weekly.
Some Enterprise Data Warehouse (EDW) and Business Intelligence (BI) systems and data are now available. An up-to-date dashboard for end-users communicating the recovery status is available to view.
Has any personal information been misused by the cyberattackers?
TransLink is taking this incident very seriously. Dark web monitoring has been in place since the incident occurred. To date, TransLink is not aware of any misuse of the sensitive personal information accessed by the cyberattackers.
Did TransLink pay the ransom?
A ransom demand ($6M USD) was made when the attack first took place. In the end, TransLink made the decision to not make any ransom payments to the cybercriminals. There was no guarantee that these cybercriminals would keep their word and not misuse the personal information that they unlawfully accessed. We were also concerned that any payment to cybercriminals would embolden further attacks on us and other agencies. It was fortunate that we were able to restore our systems from backups, although recovery has certainly been a long and arduous process.
How long is TransLink permitted to keep personal information on record?
TransLink has legal and operational requirements to retain personal information of former and retired employees for purposes such as pension and benefits administration and for related tax reporting purposes.
For example, TransLink has a Records Classification and Retention Schedule which provides that a retired employee’s file is retained for 7 calendar years after the retiree dies and payment of claim is completed, benefits are exhausted, or a spouse or beneficiary dies.
Notification Letters
I haven’t received a notification letter yet, when can I expect to?
Notification letters are expected to start arriving as early as the week of July 5, 2021. Timing will depend on Canada Post delivery times.
What if TransLink doesn’t have my current address?
If you are a current employee and your address requires updating, for example, if your address is incorrect on your paystub or you have moved in the last 18 months, you can provide your updated address by emailing employee.benefits@translink.ca.
Personal Information
What personal information did the cyberattackers access?
We previously advised that files containing banking information and social insurance numbers of current and former employees had been illegally accessed. With the investigation completed, we now advise that information related to salary or wage rates, deductions, and tax withholdings was also accessed by the cyberattackers.
For some former and current CMBC employees, records related to WorkSafeBC incidents were accessed. We can confirm that no occupational health records were accessed.
Additionally, our investigation recently produced evidence that a restricted network drive that held personal cheques used to purchase TaxiSavers in our Access Transit Program, was unlawfully accessed.
How do I know if my personal information has been compromised?
You will receive a notification letter in the mail which outlines your sensitive personal information which has been accessed.
My banking information was accessed. Should I close this account?
Whether you should change your banking information is your decision and we urge you to discuss this with your bank. When discussing this with your bank, you should let them know that TransLink does not have your banking account PIN or password.
If you are an employee of TransLink, Transit Police or CMBC and you wish to change your banking information, you may do so by sending your direct deposit changes to pay.inquiries@translink.ca from an internal corporate address, or by sending a hard copy to Payroll by internal mail (S755) or Canada Post, or by dropping it off at Sapperton. You will need to complete the direct deposit enrollment form. If you are a BCRTC or WCE employee, you may change your banking information by emailing payroll@bcrtc.bc.ca.
Who is Affected?
Which employee groups are affected by the privacy breach?
Notification letters will be sent to current, former and retired employees of TransLink and its subsidiaries, whose sensitive personal information was found to be compromised. A limited number of spouses will also be sent notification letters.
Why is my personal information accessed different from my colleagues?
More than one restricted folder was accessed and each folder contained different information. That is why the information accessed for each of you may be different than another person’s and that is part of why those of you who are impacted have or will receive a personalized letter noting exactly what information we know was accessed.
Are spouses or dependants of employees also impacted by the privacy breach?
A limited number of spouses have received privacy breach notification letters.
I am a contracted employee, has my information been accessed?
Privacy notification letters have been mailed to a very limited number of TransLink contractors.
Credit Monitoring
Given additional sensitive personal information was accessed, will you be offering credit monitoring again?
Credit monitoring and fraud protection services were offered to current employees in December as a precautionary measure. Employees were reminded on several occasions to register for this service before the deadline. Since the sensitive personal information contained in the new records is not information that is typically used to commit fraud, additional credit monitoring will not be provided. If you have any questions, please contact cyberincident@translink.ca.
I missed the credit monitoring deadline. Can I still register?
Unfortunately, the credit monitoring deadline for current employees expired in April. Access to registration codes for credit monitoring was available for several months prior to the expiry date and regrettably, the deadline cannot be extended. Employees were reminded on several occasions to register for this service before the deadline. If you have any questions, please contact cyberincident@translink.ca.
Given additional sensitive personal information was accessed, will you be offering credit monitoring again?
Our investigation has produced evidence that personal information has been compromised. Regrettably, attackers accessed and may have copied files from a restricted network drive that stores files containing some personal information that could potentially be misused by cybercriminals to commit fraud. As a precautionary measure, we previously provided impacted individuals with credit monitoring and fraud protection services.
Why is TransLink offering 2 years of credit monitoring and not more? Why is TransLink offering credit monitoring service only with TransUnion?
Most companies offer one-year of credit monitoring when there has been a privacy breach. TransLink has offered two-years of credit monitoring for affected individuals. It can be confusing for individuals to receive reports from two separate credit agencies (such as TransUnion and Equifax). However, if someone has applied for credit in your name, most lenders will report that activity to both TransUnion and Equifax. That application will then be shown on the report you receive from TransUnion.
Can we sign up for more than two-years of credit monitoring?
We previously offered a two-year subscription to credit monitoring for all active employees. Should you wish to subscribe for additional credit monitoring, it is recommended that you wait until the two-year period is over before signing up for additional credit monitoring. Any additional credit monitoring beyond what TransLink is providing will be at the employee’s option and expense.
What specifically is included in the credit monitoring and fraud protection service?
We offered a two-year membership in credit monitoring and fraud prevention services to current and former employees who have been affected by the cyberattack. The service includes the following features:
-
Unlimited online access to the TransUnion Credit report, updated daily.
-
Unlimited online access to the TransUnion CreditVision® Risk score, with score factors and analysis updated daily.
-
TransUnion credit monitoring alerts with email notifications to key changes on a consumer’s credit file.
-
Unlimited access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention.
-
Identity theft insurance of up to $50,000 in coverage to protect against potential damages related to identity theft and fraud.
-
Dark Web Monitoring to provide monitoring of surface, social, deep, and dark websites for potentially exposed personal, identity and financial information in order to help protect consumers against identity theft.
If I sign up credit for monitoring, will this stop fraudulent activity from happening to me?
Credit monitoring does not stop identity theft or fraud from happening. It is used as a detection system to warn you of any suspicious activity that may impact your credit score. If you are alerted to credit activity that you did not authorize, contact the creditor immediately.
What should I do if my credit is compromised or there is fraudulent activity? Will I be responsible for the charges? / What do I do if I believe I am a victim of identity theft? / What do I do if I believe my information is compromised?
If you ever believe you have been the victim of identity theft or fraud or have reason to believe your information is being misused, we urge you to immediately contact the police and file a police report. You can also contact the Canadian Anti-Fraud Centre at 1.888.495.8501, or by visiting antifraudcentre.ca.
Make note of the police file number you are given in connection with the police report. If you see a fraudulent charge on your payment card, you should immediately contact the bank, credit union or other financial institution that issued your card. The phone number to call can be found on the back of the card. The bank, credit union or other financial institution might ask you if you have a police file number available, and you should provide it if you have it.
How will I know if my information was used by someone else? How will I know if I am the victim of fraud?
TransUnion’s online credit monitoring and fraud prevention service will notify you by email of critical changes to your TransUnion Credit Report. Should you receive an email alert, you can review and validate the reported change by logging into the portal. This allows you to identify any potentially fraudulent activity on your TransUnion Credit Report.
Besides credit monitoring, what other steps can I take to protect myself?
Please refer to the cyberattack resource for more information on steps you can take to protect yourself.
FAQs for Retired and Former Employees
General Questions
Why am I receiving another privacy notification letter?
Several months ago, while the investigation was still in its earlier stages, we became aware that certain sensitive personal information had been unlawfully accessed. We moved quickly to notify affected individuals and offer credit monitoring and fraud protection services at that time, even though our investigation was still ongoing.
We then continued to undertake a comprehensive review of the accessed information. The review is now complete, and we are in a position to provide affected individuals with a complete list of all sensitive personal information that was unlawfully accessed.
Why did it take so long to complete the investigation?
TransLink moved quickly to launch an investigation into the cyberattack immediately upon detection. The privacy review has been a complex and time-consuming process that unfolded over the past several months, involving extensive analysis and manual data reviews.
TransLink utilized a process called e-discovery to assist us in identifying which files contain sensitive personal information. E-discovery is a two-step process. First, software tools are used to detect possible personal information in the files. Next, the files that have been identified as possibly containing personal information are manually reviewed individually to confirm that they contain sensitive personal information and to identify whose sensitive personal information is included. This process takes weeks or months, depending on the total number and size of all the files that need to be searched.
Has any personal information been misused by the cyberattackers?
TransLink is taking this incident very seriously. Dark web monitoring has been in place since the incident occurred. To date, TransLink is not aware of any misuse of the sensitive personal information accessed by the cyberattackers.
Did TransLink pay the ransom?
A ransom demand ($6M USD) was made when the attack first took place. In the end, TransLink made the decision to not make any ransom payments to the cybercriminals. There was no guarantee that these cybercriminals would keep their word and not misuse the personal information that they unlawfully accessed. We were also concerned that any payment to cybercriminals would embolden further attacks on us and other agencies. It was fortunate that we were able to restore our systems from backups, although recovery has certainly been a long and arduous process.
How long is TransLink permitted to keep personal information on record?
TransLink has legal and operational requirements to retain personal information of former and retired employees for purposes such as pension and benefits administration and for related tax reporting purposes.
For example, TransLink has a Records Classification and Retention Schedule which provides that a retired employee’s file is retained for 7 calendar years after the retiree dies and payment of claim is completed, benefits are exhausted, or a spouse or beneficiary dies.
Why does TransLink still have my personal information on file, long after I stopped working there?
TransLink has legal and operational requirements to retain personal information of former and retired employees for purposes such as pension and benefits administration, and tax reporting purposes.
For example, TransLink has a Records Classification and Retention Schedule which provides that a retired employee’s file is retained for 7 calendar years after the retiree dies and payment of claim is completed, benefits are exhausted, or a spouse or beneficiary dies.
Notification Letters
I haven’t received a notification letter yet, when can I expect to?
Notification letters are expected to start arriving as early as the week of July 5, 2021. Timing will depend on Canada Post delivery times.
What if TransLink doesn’t have my current address?
If you are a former employee or retiree, please contact cyberincident@translink.ca to update your address. TransLink has a list of all those who received a letter so they can confirm if your information was compromised. They will be asking for information to confirm your identity.
Will TransLink be providing mental health support, such as access to the Employee & Family Assistance Program, to retired members and/or their spouses? This situation could have negative impacts on people’s mental health,
especially seniors who may be feeling isolated due to the pandemic.
We truly understand how distressing this situation is. TransLink is pleased to extend Homewood Health’s Employee & Family Assistance Program (EFAP) services to former employees, retirees, and eligible spouses who have been impacted by the recent cyberattack. EFAP services are available effective immediately up to Dec. 31, 2021.
The EFAP services provided by Homewood Health is a professional, confidential and proactive service to support a wide range of personal concerns such as dealing with stress, anxiety, life transitions/change, coping with health issues and more. There are also many other online health and wellness resources and tools available. The EFAP service is available 24 hours a day, seven days a week. Homewood Health can offer in-person or phone-in counselling services.
For more information, you can visit their website at homewoodhumansolutions.com or call Homewood Health at 1.800.663.1142 and please identify yourself as a former employee, retiree, or spouse of a former employee of TransLink, Coast Mountain Bus Company, BC Rapid Transit Company, or Metro Vancouver Transit Police.
Personal Information
What personal information did the cyberattackers access?
We previously advised that files containing banking information and social insurance numbers of current and former employees had been illegally accessed. With the investigation completed, we now advise that information related to salary or wage rates, deductions, and tax withholdings was also accessed by the cyberattackers.
For some former and current CMBC employees, records related to WorkSafeBC incidents were accessed. We can confirm that no occupational health records were accessed.
Additionally, our investigation recently produced evidence that a restricted network drive that held personal cheques used to purchase TaxiSavers in our Access Transit Program, was unlawfully accessed.
How do I know if my personal information has been compromised?
You will receive a notification letter in the mail which outlines your sensitive personal information which has been accessed.
My banking information was accessed. Should I close this account?
Whether you should change your banking information is your decision and we urge you to discuss this with your bank. When discussing this with your bank, you should let them know that TransLink does not have your banking account PIN or password.
If you are a retiree and wish to change banking information relating to the administration of your pension, you will need to update your banking information through your Public Service Pension Plan. You have the option to update your banking information in your MyAccount or you can complete and submit a direct deposit form.
Please go to the Public Service Plan Website and search “how to manage banking information” for details or contact the Public Service Pension Plan directly. You will need your Person ID, found on your recent Retired Member statement, full name and date of birth to verify your account.
Who is Affected?
Which employee groups are affected by the privacy breach?
Notification letters will be sent to current, former and retired employees of TransLink and its subsidiaries, whose sensitive personal information was found to be compromised. A limited number of spouses will also be sent notification letters.
Are spouses or dependants of employees also impacted by the privacy breach?
A limited number of spouses have received privacy breach notification letters.
I am a contracted employee, has my information been accessed?
Privacy notification letters have been mailed to a very limited number of TransLink contractors.
Credit Monitoring
Given additional sensitive personal information was accessed, will you be offering credit monitoring again?
Credit monitoring and fraud protection services were offered to former and retired employees in the initial notification letters. Since the sensitive personal information contained in the new records is not information that is typically used to commit fraud, additional credit monitoring will not be provided. Access to codes for credit monitoring was available for several months prior to the expiry date. If you have any questions, please contact cyberincident@translink.ca.
Can I still register for credit monitoring?
The credit monitoring deadline for former and retired employees expires on June 30, 2021. Access to codes for credit monitoring was available for several months prior to the expiry date. If you have any questions, please contact cyberincident@translink.ca.
Given additional sensitive personal information was accessed, will you be offering credit monitoring again?
Our investigation has produced evidence that personal information has been compromised. Regrettably, attackers accessed and may have copied files from a restricted network drive that stores files containing some personal information that could potentially be misused by cybercriminals to commit fraud. As a precautionary measure, we previously provided impacted individuals with credit monitoring and fraud protection services.
Why is TransLink offering 2 years of credit monitoring and not more? Why is TransLink offering credit monitoring service only with TransUnion?
Most companies offer one-year of credit monitoring when there has been a privacy breach. TransLink has offered two-years of credit monitoring for affected individuals. It can be confusing for individuals to receive reports from two separate credit agencies (such as TransUnion and Equifax). However, if someone has applied for credit in your name, most lenders will report that activity to both TransUnion and Equifax. That application will then be shown on the report you receive from TransUnion.
Can we sign up for more than two-years of credit monitoring?
We previously offered a two-year subscription to credit monitoring for all active employees. Should you wish to subscribe for additional credit monitoring, it is recommended that you wait until the two-year period is over before signing up for additional credit monitoring. Any additional credit monitoring beyond what TransLink is providing will be at the employee’s option and expense.
What specifically is included in the credit monitoring and fraud protection service?
We offered a two-year membership in credit monitoring and fraud prevention services to current and former employees who have been affected by the cyberattack. The service includes the following features:
-
Unlimited online access to the TransUnion Credit report, updated daily.
-
Unlimited online access to the TransUnion CreditVision® Risk score, with score factors and analysis updated daily.
-
TransUnion credit monitoring alerts with email notifications to key changes on a consumer’s credit file.
-
Unlimited access to online educational resources concerning credit management, fraud victim assistance and identity theft prevention.
-
Identity theft insurance of up to $50,000 in coverage to protect against potential damages related to identity theft and fraud.
-
Dark Web Monitoring to provide monitoring of surface, social, deep, and dark websites for potentially exposed personal, identity and financial information in order to help protect consumers against identity theft.
If I sign up credit for monitoring, will this stop fraudulent activity from happening to me?
Credit monitoring does not stop identity theft or fraud from happening. It is used as a detection system to warn you of any suspicious activity that may impact your credit score. If you are alerted to credit activity that you did not authorize, contact the creditor immediately.
What should I do if my credit is compromised or there is fraudulent activity? Will I be responsible for the charges? / What do I do if I believe I am a victim of identity theft? / What do I do if I believe my information is compromised?
If you ever believe you have been the victim of identity theft or fraud or have reason to believe your information is being misused, we urge you to immediately contact the police and file a police report. You can also contact the Canadian Anti-Fraud Centre at 1.888.495.8501, or by visiting antifraudcentre.ca.
Make note of the police file number you are given in connection with the police report. If you see a fraudulent charge on your payment card, you should immediately contact the bank, credit union or other financial institution that issued your card. The phone number to call can be found on the back of the card. The bank, credit union or other financial institution might ask you if you have a police file number available, and you should provide it if you have it.
How will I know if my information was used by someone else? How will I know if I am the victim of fraud?
TransUnion’s online credit monitoring and fraud prevention service will notify you by email of critical changes to your TransUnion Credit Report. Should you receive an email alert, you can review and validate the reported change by logging into the portal. This allows you to identify any potentially fraudulent activity on your TransUnion Credit Report.
Besides credit monitoring, what other steps can I take to protect myself?
Please refer to the cyberattack resource for more information on steps you can take to protect yourself.