Sacramento, Calif., Transit System Recovers from Ransomware Attack

Sacramento Regional Transit was able to restore its website and 80 percent of the data destroyed by hackers with help from back-up devices and federal experts.

by Tony Bizjak, The Sacramento Bee / November 22, 2017

(TNS) –– Sacramento Regional Transit restored its website Tuesday following a weekend cyberattack and began meeting with federal security experts on ways to reduce the chance of future breaches.

SacRT officials said the agency has recovered 80 percent of the destroyed internal systems data so far via back-up devices, with more retrieval expected in the coming days.

“We don’t anticipate losing much of anything,” SacRT operations chief Mark Lonergan said.

Federal Department of Homeland Security officials visited SacRT headquarters Tuesday to review the incident and offer analytical and security expertise, Lonergan said. The agency also filed a crime report with the Sacramento Police Department.

A DHS federal spokesman, Scott McConnell, confirmed his agency’s involvement, but declined comment, saying DHS’ work with local agencies is confidential.

An initial review found that no data was stolen, Lonergan said. Train and bus service was not affected.

However, Betsy Cooper, a national security expert and former DHS attorney, said it typically takes days or weeks of analysis to fully understand the nature of the attack and its impacts, including whether any data was taken.

“I hope it is true that no customer data was accessed,” said Cooper, who is head of the UC Berkeley Center for Long-Term Cybersecurity. “But it takes a bit of time to know what the hacker did.”

The attack was the first major cyber assault on the transit agency, Lonergan said. He described SacRT’s computer systems protection layer as strong, but said the agency intends to improve the system.

“Once fully restored, we intend to go through a deeper forensic look to make sure we didn’t miss anything,” he said.

Lonergan and other SacRT officials described a dramatic moment Sunday morning when their computer security system alerted officials that large amounts of data were being mysteriously erased.

At about that time, the agency received a private Facebook message from an anonymous hacker demanding that SacRT pay a one bitcoin ransom, worth over $8,000 as of Tuesday.

The message read: “hello, I will always attack your website, we are hackers. we can do everything. Pay us now to stop attacking.”

SacRT officials said they did not respond to the hacker and did not pay the ransom. They were able to shut down their systems quickly to prevent further erasures. Most of the erased data had been recently backed up, Lonergan said.

UC Berkeley cybersecurity expert Cooper said such attacks are growing as companies move more operations onto computers. Hackers typically go after the systems that are easiest to infiltrate, she said.

“Companies should expect there are going to be increasing attempts to test out their networks and see whether they are vulnerable, and they should have security built in so they aren’t the low-hanging fruit that hackers can attack,” Cooper said.

She said she recommends that companies increase cybersecurity training for employees, who sometimes allow a virus into the company system by clicking on a hacker’s link. She also recommends companies use two-factor authentication for all sensitive products, and that companies compartmentalize their data so that system breaches can be contained.

Numerous private sector companies have been hit by major cyberattacks. Uber executives revealed on Tuesday that 600,000 names and driver’s license numbers were stolen last year from cloud-based storage the company uses. Earlier this year, credit reporting agency Equifax fell victim to a hacker who reportedly obtained personal data for nearly 150 million consumers.

San Francisco’s bus and rail agency suffered a similar cyberattack a year ago that forced the agency to shut down its fare vending machines as a precaution.

Lonergan said the cyberattack threat is pervasive. “There are two kinds of businesses, those who have been hacked and those that will be hacked.”

©2017 The Sacramento Bee (Sacramento, Calif.) Distributed by Tribune Content Agency, LLC.