San Francisco Muni Hack Could Have Been a Catastrophe

Shortly after Thanksgiving, the San Francisco Municipal Transit Agency came under attack. "Someone had attacked Muni’s computer system and was demanding a ransom. Monitors in station agent booths were seen with the message, 'You Hacked. ALL data encrypted,' and the culprit allegedly demanded 100 Bitcoin (about $73,000)," Jack Stewart writes in a story for Wired.

Some riders may not even have considered that the payment machines they were using were connected to the internet, but they were. While Muni says they did not pay off the hackers, many (like this Kansas hospital) do. Like hospitals, transit systems make easy targets because, as Jack Stewart explains, "Many are aging and underfunded, with barely enough money to keep the trains running, let alone invest in IT security upgrades." This means private information about customers and employees is vulnerable. 

Worse still, the problem is not just one of budgets. Connectivity is the natural consequence of a world that can do so much with internet, so more and more devices are coming online all the time and there are more and more places bad actors can take advantage of vulnerabilities. Also, digital locks, like DRM, create paths for criminals to use to break into our systems. For transit systems those devices must be accessible to the public 24 hours a day.

Stewart suggests that transit systems need to be prepared for the problem, writing, "They should create procedures for a cyber attack, then communicate, review, and update them on a regular basis." There's also work our legislators could do to make it safer to expose security risks that agencies like SFMTA and hospitals may be exposing their customers to.