A group of hackers claims to have stolen a trove of data from the Santa Clara Valley Transportation Authority in an apparent ransomware attack that has paralyzed many of the agency’s computer systems for days.
VTA officials initially said they believed they had contained the attack, which began over the weekend. But in a post on the dark web Thursday, a hacker group calling itself “Astro” wrote that it stole 150 gigabytes of data from the transit authority and is threatening to post it publicly if VTA does not “cooperate.”
Brett Callow, a threat analyst with the cybersecurity firm Emsisoft, said hackers in ransomware attacks such as this one make copies of sensitive data on the networks of governments, corporations and other entities. They typically demand a ransom to delete the information they stole, which could include the personal information of customers or workers, confidential employee misconduct records and other data that is “not the type of thing people want to end up online,” Callow said.
VTA spokesperson Stacey Hendler Ross said Friday morning the agency was still trying to determine whether any personal information of customers or employees was compromised in the attack. The hackers’ post does not identify what kind of data they have.
When asked directly about the hackers’ claims, including whether the agency has received any monetary threats, Hendler Ross repeatedly declined to comment.
“We are still working on it, we’re working with third-party experts that specialize in this, and we’re trying to get these systems back online to protect all the information that we have,” Hendler Ross said.
Buses, light rail trains and paratransit service have all continued running despite the attack.
The agency’s priority was to proactively shutdown technology systems to contain the event, which affected functions such as real-time arrival information and VTA employee email. As of late Friday morning, self-service systems for customer service and paratransit are still not available; engineers are working to bring them back online.
Customers seeking help or paratransit services can call 408-321-2300.
Hendler Ross said that VTA “will move quickly to notify the appropriate parties” if it determines there was a breach of any personal data, and is working with law enforcement to investigate the attack.
Government agencies are a frequent target of ransomware — more than 2,300 public-sector organizations experienced those attacks last year, according to Emsisoft, and 58 of those entities saw their data posted online. Others likely paid off the hackers.
Ransom amounts vary “enormously,” Callow said. Local governments in Pennsylvania and Oregon paid ransoms in the hundreds of thousands of dollars last year, while the highest publicly confirmed payout was $50 million, he said.
“It can be a significant amount of money,” Callow said.
Staff writer Fiona Kelliher contributed to this report.
