A MetroLink train pulls into the Forest Park-DeBaliviere station.

A hacking group stole confidential data from the St. Louis area’s transportation agency in a cyberattack earlier this month and is threatening to publish it if officials do not pay a ransom.

Neither transportation officials nor the hackers have specified how much data was stolen or how much money is being demanded. The hackers claim they stole information related to the regional transportation system Metro Transit, including passports, Social Security numbers and tax information.

A Metro Transit official said no customer data has been compromised, but the investigation is ongoing.

Brett Callow, an analyst with the New Zealand-based cybersecurity company Emsisoft, shared screenshots with the Post-Dispatch that show the hackers threatening to publish the data if transportation officials don’t pay up. The screenshots were published on an unregulated part of the internet called the dark web, which is often used by hackers to publish ransom threats.

The same hacking group hit several other public agencies over the past year, including the City of Oakland and the San Bernardino Sheriff’s Office in California, and government agencies in the United Kingdom and Germany, security analysts say. The San Bernardino Sheriff’s Office paid the group a $1.1 million ransom.

Metro Transit, the regional transit system operated by Bi-State Development, was first hit by the cyberattack on Oct. 2. Phone and computer services for its paratransit service named Call-A-Ride were still disrupted as late as last week.

The agency took its computer systems offline after the attack, and it has since restored transit operations and secured its financial and payroll systems, said Bi-State President and CEO Taulby Roach.

Roach confirmed the attack included a ransom demand, but he said the agency is still trying to determine if workers’ sensitive data was stolen.

Bi-State has more than 1,800 employees, and Roach said in a written statement that the employees have been notified of the risk and offered free identity protection assistance.

“This threat is an attempt to extort the public’s money by targeting our fundamental public infrastructure,” Roach said in a statement Wednesday. “This event should not be taken lightly, and we will make every attempt to fight this adversary and defend the public interest.”

The attack that hit Metro Transit is known as ransomware because criminals hack a system, encrypt data from it, lock out the owner and then demand a ransom in order to unlock the system and delete the stolen data.

Both Callow and Allan Liska, a Washington, D.C.-based ransomware researcher, said it is better if ransomware victims don’t pay, to deter future attacks.

“The fewer organizations pay, the less incentive bad actors have to carry out attacks,” Callow said.

And Liska said there is also no guarantee payment would prevent the group from publishing the data anyway.

Public agencies can better defend themselves against ransomware attacks by requiring people who log into their systems to go through multiple levels of identification verification, segmenting their computer networks to make it harder for hackers to access data with one breach, and ensure that vendors who store data on their behalf are also secure, Liska said.

“Knowing where and how and when your data is stored is really important,” he said.

Third-party cybersecurity specialists are assisting Bi-State’s investigation, which includes determining whether any sensitive personal information was impacted and notifying anyone whose information was impacted, Roach said.

“Our team has worked tirelessly to restore our network systems and minimize any disruption to services,” Roach said. “We sincerely appreciate the public’s patience and understanding during this challenging time and apologize for any inconvenience as we continue these restoration efforts.”


Leave a comment

Leave a Reply