A security breach at the San Francisco Municipal Transportation Agency remained under investigation Sunday, three days after a computer hack struck.
Transit service was not disrupted over the busy Thanksgiving holiday weekend, but ticket machines were taken off-line Friday evening and all day Saturday after the message “You Hacked, ALL Data Encrypted” appeared on Muni agents’ computer screens.
In what the transit agency described as a precaution, customers rode for free on Muni Metro light-rail trains as investigators examined the extent of the breach and the potential impacts.
“We are focused now on working to investigate the matter fully to find out all other details,” Muni spokesman Paul Rose said Sunday afternoon. “But at this point there is no impact to transit service, to our security systems or to our customers’ private information.”
Rose said Clipper cards used on Muni that involve online purchases are run by a separate, unaffected agency. He added that this hack is the first to Muni’s systems in recent memory.
Silicon Valley venture capitalist Mahendra Ramsinghani, who invests in early-stage security companies, agreed that the breach seemed unusual for a transit agency.
Ramsinghani and other cybersecurity experts described Friday’s hack as a possible “ransomware” attack, a type of malware preventing users from accessing their own computer system. It’s like a thief locking you out of your house and charging a fee to let you back in, Ramsinghani said. In such attacks, computer systems can be locked up, with an offer to unlock them following receipt of a bitcoin transfer.
Rose would not comment on the possibility that a ransom was sought from the transit agency, saying a statement would be “inappropriate” during the investigation.
But Ramsinghani said the Muni hack “has all the indications or symptoms of being a ransomware attack.” He described 2016 as “the year of ransomware,” with payoffs amounting to more than $1 billion so far this year. Technically vulnerable organizations such as churches, schools and hospitals have been targets, but rarely transit agencies, he said.
“It is the duty of an agency such as SFMTA/Muni to inform people of what they have discovered,” Ramsinghani said. “The fact that they have not stated anything tells me that there could be something deeper.”
Little information about the hack was made publicly available by Muni over the long holiday weekend.
Muni’s Twitter feed contained plenty of real-time updates Saturday and Sunday about sidewalk parking, stalled streetcars, dysfunctional elevators and downtown construction. But nothing alerted passengers to the security breach or its possible implications.
Professor Clifford Neuman, director of the University of Southern California’s Center for Computer System Security, said Sunday that transit agencies typically rely on different computer systems for purchasing tickets, payroll and critical infrastructure. That makes it difficult to know the impacts of this hack.
“Understanding the risks requires knowledge of which system was hacked,” Neuman said in an email. “There are links between them, especially if there are employees who use the same passwords or authentication methods in different systems, but usually this kind of breach is initially contained to just one of the systems and we don’t know which one.”