San Francisco Muni Ransomware Attack Should Be a Warning to Critical Infrastructure

    Slide Show

    Ransomware: The Rising Face of Cybercrime

    We know that businesses of all sizes can be victims of a cyberattack, but it seems like there has been a flurry of hacks on large organizations. Take this eSecurity Planet article, for example. It covered not just one cybersecurity incident, but multiple incidents that happened in a short time span:

    In a pair of major breaches announced over the past several days, hackers have stolen data from Michigan State University (MSU) and from the Madison Square Garden Company (MSG) entertainment venues Madison Square Garden, Radio City Musical Hall, the Beacon Theater, and the Chicago Theater.

    On the heels of this news came the ransomware attack on the San Francisco Municipal Transportation Agency (better known as Muni). As CNET reported, the hackers tried to extort $73,000 from the agency, but Muni fought back:

    In fact, this might be the rare hack that doesn’t turn into a PR disaster. That’s because Muni, which runs San Francisco’s bus, light rail and trolley car systems, had a backup of its system and no customer data was stolen.

    Muni lost money by giving away free rides over the weekend, but it didn’t pay the 100 bitcoins in ransom demanded by a hacker or hackers calling themselves “Andy Saolis.” Instead, Muni restored its systems with help from the agency’s internal tech team.

    I wanted to highlight this hack for a couple of reasons. The first is because of the quote above. Muni showed that with some forethought and planning, a security incident doesn’t have to turn into a nightmare scenario.

    The second reason is that the ransomware attack on Muni should serve as a warning about the vulnerabilities in the nation’s transportation and overall critical infrastructure. Muni was prepared for such an attack, but are other infrastructure systems? As Javvad Malik, security advocate at AlienVault, told me in an email comment:

    The San Francisco Muni breach reinforces the repeated concerns many cybersecurity professionals have over internet-connected systems and the Internet of Things (IoT) as a whole. Whenever systems are wholly digitized and made accessible publicly, there is a risk that hackers will try to gain access. Segregating critical systems from public systems is of utmost importance. This also includes physical segregation, so as not to have access ports or systems in publicly accessible places.

    And while Muni did a good job in ensuring its system wasn’t knocked totally offline and that its customers were able to travel around the city, we don’t know how much damage was really done, Jo Webber, CEO of Spirion, told me via email:

    The attack is being downplayed as only having minimal effect on commuters. But while transit service may not have been interrupted, 2,000 servers were compromised, indicating that at the very least, the personal information of the 4,800 MUNI employees was also compromised. More alarming is the amount of additional information stored in the SFMTA systems. Ever get a ticket for an expired meter? Then your name, home address and license number are all in the system. Also, if you have ever been a commuter on MUNI transit programs, then your name, address, and other personal data is also in the system. Successful attacks targeting and accessing this kind of customer and employee data will inevitably occur when organizations don’t properly safeguard sensitive information.

    This is a cyberattack that moves beyond data theft and controlling computer systems. It could have easily shut down the transit system, and may very well do so in another, less prepared, city. I saw one article headline that downplayed the attack and highlighted the “free rides for everybody” aspect, but I think this East Bay Times article on the Muni hack is more appropriate: Muni should be a wake-up call.

    Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba

    Sue Poremba
    Sue Poremba is freelance writer based on Central PA. She's been writing about cybersecurity and technology trends since 2008.

    Latest Articles