Hackers gave everyone a free ride on San Francisco public transit
Hackers apparently breached San Francisco’s mass transit system over the holiday weekend, forcing the agency to shut down its light-rail ticketing machines and point-of-payment systems and allowing passengers to ride for free.
A message reading “You hacked. ALL data encrypted” appeared on ticket machines Saturday morning, along with a contact email address — suggesting a ransomware attack, in which a hacker can lock out a system from its owners. The San Francisco Municipal Transportation System, known as Muni, quickly shut down the payment system, opening its gates to passengers.
The system was restored by Sunday morning, according to Muni. The agency did not say how the situation was resolved.
The attack left Muni scrambling to discover the extent of damage, and whether any employee or passenger data had been breached. “At this point there are not any indications of any impacts to customers,” Muni spokesman Paul Rose told the San Francisco Chronicle on Sunday. “We’re doing a full investigation to find out exactly what we are dealing with.”
Among the chief concerns is whether the Clipper smart-card system was also breached. Muni is among 20 Bay Area transit agencies using Clipper cards for transit payments. The cards are used for about 800,000 fare payments a day, according to the Bay Area Metropolitan Transportation Commission, and many cardholders have their credit-card data on file.
The hack also raises disturbing questions about the digital security of America’s infrastructure and public safety; Muni trains are controlled by computers when they’re running in underground tunnels, although this weekend’s attack apparently did not access that system.
“I think it is terrifying,” one rider told KPIX 5 News on Saturday. “I really do. I think if they can start doing this, you know, here, we’re not safe anywhere.”
Earlier this year, a Southern California hospital’s computer system was held hostage by ransomware for more than a week, before the hospital paid about $17,000 in bitcoin to the hackers.