Numerous news organizations are reporting that BART police files have been hacked and posted onto the dark web, including allegations of child abuse against officers, and perhaps your information if you’ve ever been cited by BART Police for a crime.
BART police officers may be especially on edge these days, in light of a Tuesday report from NBC News that a hacker group has apparently ransomwared BART’s internal systems and leaked an “enormous trove of sensitive files” onto the dark web. NBC News has reviewed the hacked and leaked information, and estimates that there are 120,000 internal BART files out there, apparently mostly Human Resources department-type files, “including specific allegations of child abuse” according to that organization.
The Bay Area News Group has some follow-up reporting that an established, well-known ransomware group Vice Society is taking credit for the hack. That particular hacker group is known for hacking hospitals, schools, and various other public agencies, hoping to exchange the hacked data for ransom payments.
BART insists that ridership will not be affected by the hack, though in doing so, they seem to acknowledge that yes this hack did happen. “To be clear, no BART services or internal business systems have been impacted,” BART spokesperson Alicia Trost told the Bay Area News Group. “As with other government agencies, we are taking all necessary precautions to respond.”
Cybersecurity experts tell NBC News that the fact these files are now online strongly indicates that BART refused to pay the ransom.
At first glance, this does not sound as bad as the 2011 BART Police Officers Association hack by an Anonymous-affiliated hacker (though SFist has not reviewed the hacked data). That 2011 hack released more than 100 officers’ email addresses, passwords and personal data.
But if you’ve ever been cited by BART police for a crime, then yes, there is a chance that information is among the leaked data.
More salaciously, according to NBC News, “At least six scanned, unredacted reports detailing suspected child abuse are among the files. Those reports state the name and birthdates of endangered children, and in some cases give descriptions of an adult and the alleged abuse.”
There are apparently also mental health records for officers referred for mental health evaluations among the data, names and driver’s license numbers of BART contractors, and hiring documents for BART police applicants.
And once this information is on the dark web, the toothpaste is effectively out of the tube. “It’s often the case that other people scrape the data,” cybersecurity analyst Brett Callow tells the Bay Area News Group. “Once the data is posted on these sites there is no way of knowing where it will end up or what other people may do with it.”
Related: 49ers Forced to Notify Nearly 21,000 People That They Had Their Personal Data Obtained by Hackers [SFist]
Image: BART Police Department via Facebook