Computer hackers directly attacked the Sacramento Regional Transit system computers this weekend, erasing data and threatening to do more harm if SacRT doesn’t pay them one bitcoin, now worth about $8,000.
The attack erased parts of computer programs on the agency’s servers that affect internal operations, including the ability to use computers to dispatch employees and assign buses for routes, chief operating officer Mark Lonergan said.
Regional Transit officials said they have determined that no data was stolen and are working to secure their system from further attack. Bus and rail service has not been affected.
The agency took down its web homepage for customer information and shut down its systems for processing credit card payments on Connect Cards until agency officials can add security to prevent hackers from getting into SacRT’s computer system in the future.
The agency’s mobile fare app, which is on a separate cloud-based system, remains fully operable, Lonergan said, including allowing users to add fare value to the app.
Agency technicians were using backed up data to refresh internal systems on Sunday and Monday, Lonergan said.
SacRT had not yet notified police of the crime Monday morning, but planned to, he said.
The hackers announced their presence on Saturday when they “defaced” the agency’s main webpage, putting up a note saying, “I’m sorry to modify the home page, i’m good hacker, i I just want to help you fix these vulnerability. This is one of the loopholes, modify the home page …”
That message turned out to be a trap, Lonergan said. When technicians went into the SacRT system to check out the damage, it unleashed the attack Sunday morning that erased the virtual servers.
The hacker or hackers sent a Facebook message to SacRT Sunday morning demanding ransom, with the message, saying, “hello, I will always attack your website, we are hackers. we can do everything. Pay us now to stop attacking.”
The hackers asked for a bitcoin – whose worth soared above $8,000 on Monday. SacRT did not respond to that demand. Lonergan said the agency’s security systems had already noticed that data was being erased.
“We caught it early (Sunday) morning,” he said. “We took all our systems offline” and determined what data had been erased. “We are restoring everything now and bringing it up online.”
Lonergan said the agency was able to track how the hackers entered the system, and what the hack was doing. “That is how we know no data exited,” he said. “This was about destruction.”
The agency’s system has suffered from virus and malware attacks in the past, but had never suffered an attack that destroyed data.
Lonergan said light rail and buses continue to run on a normal schedule. The trains and buses are run under control of an operator, with minimal automation, he said.
He said technicians estimate it could be several days before the agency’s system is fully restored. The agency then plans to bring in an expert “to review our vulnerabilities and make this less likely to happen again,” Lonergan said.