TransLink, STM experienced cyber attacks this fall

Two Canadian transit systems, which provided a combined 826 million rides in 2019, faced a pair of cyber attacks this fall. Société de transport de Montréal (STM) identified a ransomware cyber attack Oct. 19, while Metro Vancouver’s TransLink experienced a cyber attack in early December. 

TransLink’s online payment services and other IT infrastructure were impacted during the attack, but the transit agency said safety systems were not affected.

“TransLink employs a number of tools to prevent, identify and mitigate these types of attacks. Upon detection, we took immediate steps to isolate and shut-down key IT assets and systems in order to contain the threat and reduce the impact on our operations and infrastructure. We are now working to resume normal operations as quickly and safely as possible,” TransLink CEO Kevin Desmond included in a statement issued following the cyber attack.

Desmond notes TransLink uses a third-party payment processor for fare transactions and does not store or have access to fare payment data.

According to local Metro Vancouver news outlets, TransLink experienced the Egregor ransomware attack, which carries a hallmark of printing ransom notes on the attacked organization’s printers. Desmond’s statement confirmed the attack included “communications to TransLink through a printed message.”

A journalist for Global News posted a copy of the ransom note on Twitter in which TransLink is asked to contact the hackers within a certain number of days or risk stolen data being leaked.

This “double extortion” type of attack was recently covered by Randy Pargman in the November issue of Mass Transit.

Pargman writes, “The changes that are happening in ransomware reflect a broader evolution of cybercrime, as hackers are becoming more sophisticated and better organized.”

Pargman recommends developing a “defense-in-depth” approach to cybersecurity that “anticipates all of the associated threats so that even if one part of a security program fails, the others will be able to pick up the slack and limit damage.”

TransLink is actively investigating and said it confirmed the cyber attack to keep employees and customers informed and to alert other organizations of the dangers of ransomware attacks.

On the opposite side of Canada, STM experienced a “highly sophisticated variant of the RansomExx computer virus” in October, which the agency said included a high level of automation.

STM was able to isolate the impacted systems within four hours and restore 600 critical servers that were affected. That number represents more than 37 percent of the agency’s total number of servers. The agency credits the speed of response to the “numerous IT protection investments” it has made during the past six years.

STM has concluded its investigation in November and determined no massive data leak had occurred. Out of 11,000 employees, 24 had some “low sensitivity personal information” accessed and two of those had more sensitive information stolen. However, STM said the two employees were notified and offered support from a specialized firm. Out of 645,000 customers, 72 had the same low sensitivity information accessed. STM said they were contacted and advised on IT security for their computers.

“Thanks to rigorous preparation, investments of tens of millions of dollars and numerous improvements implemented over the past six years, the STM and its teams, who I want to thank for their hard work during this crisis, were able to isolate the attack and restore our servers, without major damage to the STM, its customers and its employees,” said STM CEO Luc Tremblay