The Toronto Public Library it is still working to determine the full impact of a crippling cyberattack that disabled the library’s website for months, including whether the personal data of cardholders was accessed.

In the final report to the library board on the Oct. 28 cyberattack, City Librarian Vickery Bowles confirmed that the full extent of the data breach is still under investigation.

The library previously indicated that the personal information of employees, including social insurance numbers and copies of government-issued identification, was stolen during the incident. Further investigation revealed that some information involving dependents and family members of staff was also impacted.

“Although cardholder, volunteer, and donor databases were not affected, some data about these groups likely resided on the compromised file server,” the report notes.

“The larger e-discovery process to investigate whether customer, donor or volunteer data has been taken from the affected file server is underway and will take more time to complete.”

Bowles added that the library will “continue to be transparent” and will notify anyone else who may be affected.