On one of the busiest shopping days of the year, the San Francisco Municipal Transportation Agency (SFMTA) was hit by ransomware. The attack caused ticket machines for the SFMTA’s light rail transit system to go offline all day on Saturday (Nov. 26). Instead of shutting down, however, the agency decided to let users ride for free. By Sunday, the system was up and running like normal again.
“On November 26th, the SFMTA was a victim of a ransomware attack,” a statement issued Sunday by the SFMTA reads. “The situation is now contained, and we have prioritized restoring our systems to be fully operational.”
The Hack
An individual or group going by the name of Andy Saolis claimed responsibility for the ransomware attack on SFMTA. After an initial investigation, it appears that the hacker has stolen and is holding hostage 30GB of the agency’s data. The stolen data contains sensitive data, including databases and employee information. The attackers are demanding a ransom of 100 bitcoins or roughly $73,000 to restore the system. In an email exchange on Monday, attackers claimed that they would release the 30GB of information if the ransom isn’t paid.
The following is a direct quote from the hackers. “We don’t live in USA but I hope company try to fix it correctly and we can advise them if they don’t, we will publish 30GB databases and documents include contracts, employees data, LLD plans, customers and… to have more impact to company to force them to do right job!”
While it’s unclear how the hackers gained access to SFMTA’s system, the group said they would only release the data if the agency didn’t contact them or neglected to fix the vulnerability. However, Paul Rose, an SFMTA spokesperson said the allegations are false and that no customer privacy or transaction information was stolen. Rose also commented that SFMTA has no intentions of paying the ransom and has ensured that they have fixed the vulnerability.
Public Transportation at Risk?
Fortunately for the SFMTA, the city and its residents got off lightly. While they did lose a few days of revenue, which is substantial, attacks like this could happen anywhere and wreak far more havoc. American public transportation systems that make daily life possible for millions are an easy target as they are aging and underfunded. Many barely have enough money to keep trains running let alone invest heavily in cybersecurity upgrades.
Cyberattacks against public transportation agencies can destroy their physical systems, render them inoperable, jeopardize the privacy of employee or customer data or hand over control of those systems to an outside entity. Last December, hackers managed to physically control breakers to kill electricity distribution in Ukraine, then overwrote the control software which damaged it permanently. A similar attack could cripple a subway system like New York’s for weeks, which moves 4.3 million people per day.
In a paper titled “Cybersecurity Considerations for Public Transit” released in 2014, the American Public Transportation Association (ATPA) brought these vulnerabilities to light. Protecting these vulnerabilities only requires a few moves and the ATPA strongly urges transit agencies to do so. Agencies must design hardware and software with multilayered network security, using firewalls, email scanning, and software updates. Furthermore, agencies should create procedures for a cyberattack, then communicate, review, and update them on a regular basis. Lastly, agencies should keep their facilities physically secure and train employees on how to spot and respond to cyberattacks. However, all of this requires a substantial amount of money and, as we mentioned before, transit companies just don’t have it.
WatchPoint’s CryptoStopper is an active defense system, employing deception technology to protect networks from ransomware attacks such as the SFMTA attack. At $20/Server/Month, Cryptostopper is an important part of a multilayered network security system.