The Presto transit fare card used by millions of riders in Toronto, Hamilton and Ottawa is not immune to the type of cyberattack that crippled San Francisco’s transit agency last weekend, according to IT security experts and Metrolinx.
Hackers took down the Muni transit system’s computers, rendering its fare-payment cards useless, so San Francisco transit officials were forced to let commuters ride for free.
The culprits used ransomware, a type of malicious software designed to extort money from the computer system’s owner. Ransomware locks or encrypts a system’s data, making it impossible to use, and the hackers demand payment to restore access.
It’s the kind of thing that could happen not only to the Presto system, but to any computerized aspect of transit, such as dispatching, GPS tracking and track signals.
“If we said, ‘It could never happen here,’ then you would leave yourself very vulnerable,” said Anne Marie Aikins, spokesperson for Metrolinx, the agency that manages the Presto card, as well as GO Transit and the Union-Pearson Express.
“Any kind of attack can happen anywhere,” Aikins said Tuesday in an interview with CBC Toronto. “One of the most important things to protecting yourself is to acknowledge that every system is vulnerable and then to protect yourself as best you can.”
Atty Mashatan, an assistant professor of information technology management at Ryerson University, agrees that ransomware can attack any computer system that’s not properly protected, and transit agencies are no exception.
“It’s no longer a matter of if an organization is going to be hit by ransomware, it’s when they’ll be hit and affected,” said Matashan in an interview. “And when it happens, are they prepared and ready or not?”
The San Francisco transit attackers demanded ransom in the digital currency Bitcoin worth about $73,000 (US).
There have been no public reports of such attacks on Canadian transit systems, but post-secondary institutions have been hit. On Tuesday, Carleton University warned students that ransomware messages were appearing on computers logged into its system.
The University of Calgary paid $20,000 in response to a ransomware cyberattack on its computer systems earlier this year. Memorial University of Newfoundland faced a small-scale ransomware attack just last month.
Other ransomware attacks have hit hospitals in Ontario, law firms in B.C. and even ordinary Canadian families,
Ransomware “clearly is a growth industry,” said Robert Hudyma, an associate professor at Ryerson’s School of Information Technology Management. “The attackers can come from anywhere in the world.”
Any transit system using technology similar to San Francisco’s would be vulnerable, Hudyma said, but companies can lessen their vulnerability with state-of-the-art design of their IT systems. “It wouldn’t be hacker-proof but it would be resistant to hackers,” he said.
Metrolinx has made “significant investments” in IT security, said Aikins, and has added roles in its organization to stay on top of cyber risks as they evolve. “You have to make sure you’re armed against all the ways [hackers]could impact your service,” she said.
She said Metrolinx staff heard about the San Francisco cyberattack as it was happening and stand to learn lessons from it.
Metrolinx says more than two million customers are using Presto cards on GO Transit, Toronto’s TTC, Ottawa’s OC Transpo, and the local transit services in such locations as Hamilton, Mississauga, York Region and Durham Region.