A ransomware attack against San Francisco’s Bay Area Rapid Transit exposed highly sensitive and personal data after a threat group leaked the records Friday. The nation’s fifth-largest transit system by ridership, and largest in California, remains operational.
Vice Society, a prolific ransomware group, claimed responsibility for the attack on Friday when it listed BART on its leak site.
The allegedly stolen data, according to screenshots provided to Cybersecurity Dive, includes a long list of files titled “master employee list,” “background disposition” reports, crime lab reports, police reports, a “suspected child abuse report,” a controlled substances examination report for heroin and other highly sensitive and personal data.
The data, much of which appears to be related to the transit agency’s police department, was posted to a leak site controlled by Vice Society.
“We are investigating the data that has been posted,” Alicia Trost, the agency’s chief communications officer, said via email. The agency did not say whether ransomware was involved nor when the incident occurred.
“No BART services or internal business systems have been impacted. As with other government agencies, we are taking all necessary precautions to respond,” Trost said.
BART did not respond to questions about a potential ransom demand or its response, or if federal or state authorities have been notified.
“Attacks on police departments are among the most serious due to the sensitivity of the information they hold, and the potential consequences if that information is exposed,” Brett Callow, threat analyst at Emsisoft, said via email.
“Lives could be put at risk, investigations compromised, evidence lost and prosecutions dropped,” he said.
Transit sector remains highly vulnerable
Multiple transit and rail systems have been hit by cyberattacks, including an April 2021 attack on the New York City Metropolitan Transportation Authority; a May 2020 attack on the Colorado Department of Transportation; a December 2020 ransomware attack on Metro Vancouver TransLink; and a January 2018 attack on Toronto Metrolinx.
The transit sector, in particular, is significantly more vulnerable than other industries, according to Chester Wisniewski, principal research scientist at Sophos.
“It’s always a nightmare when it’s a government agency,” he said. “There’s a reason we keep hearing about schools, hospitals and government.”
“They have the worst security by far generally. It’s run on tax money and it’s run as a bureaucracy, and their mission is to deliver transit,” which means they often don’t spend enough on cybersecurity or properly assess the risk, Wisniewski said.
The Transportation Security Administration in October 2022 responded to the ongoing threat confronting the nation’s freight and passenger rail systems by strengthening cybersecurity directives for transit owners and operators.
The agency in December 2021 announced new directives and voluntary guidelines to address incident reporting and coordination.
Vice Society ramps up pressure on public sector
While sensitive personal information held by BART appears to be exposed, the good news is these incidents don’t usually lead to widespread identity fraud for the individual victims, according to Wisniewski.
“Most [of] the time, it appears the only thing they’re doing with it is extorting people. They’re using it to try to get the ransom paid or to extort BART, but if they don’t get the extortion money it’s not like they then start literally one by one committing identity theft,” he said.
Vice Society follows that mold and has hit some big targets.
“The group is financially motivated and continues to focus on organizations where there are weaker security controls and a higher likelihood of compromise and ransom payment,” Microsoft Security researchers said in an October 2022 report.
The threat actor, which first appeared in June 2021, uses a wholly owned ransomware payload with branded extensions that set it apart from other threat actors, Microsoft Security researchers said.
The group’s consistent modifications to ransomware payloads and its use of multiple malware strains suggests it deploys different variants and techniques based on weaknesses found in targeted organizations.
Vice Society attacked the Los Angeles Unified School District in September 2022. After the nation’s second-largest school system refused the group’s ransom demand, the threat actor leaked about 250,000 district files on the dark web, including personal and potentially damaging information on students and employees.
A joint Cybersecurity Advisory from federal authorities singled out Vice Society the same day the district publicly disclosed the incident. The FBI and Cybersecurity and Infrastructure Security Agency assisted the Los Angeles schools system’s investigation and response.
“Vice Society is somewhat unusual in that they heavily target the public sector, especially schools, whereas most ransomware operations prefer the private sector, probably because the return on investment is better,” Callow said. “The reason for their preference is not clear.”
