Public Transportation's New Headache: Hackers

Amidst the chaos of Black Friday, San Francisco residents got a surprise when they realized the MUNI train system wasn't taking their money. More concerning, the machines read "You Hacked. ALL data encrypted."

A hacker had infiltrated the computer system, threatening to release 30 GB of stolen data from San Francisco's Municipal Railway System unless paid 100 bitcoins (~$73k). Muni opened the gates and kept trains running, and by Monday morning everything was back to normal. Muni launched an investigation into the incident that is still ongoing. 

An attack like this could've been far more dangerous, even life-threatening. “Cyberattacks can destroy a transit agency’s physical systems, render them inoperable, hand over control of those systems to an outside entity or jeopardize the privacy of employee or customer data,” the American Public Transportation Association has warned.

Many cities have aging, underfunded digital infrastructure that is just enough to keep trains running...a far cry from the high-level info security needed to prevent this kind of interference. The hacker himself said as much in an email to WIRED Magazine, "they don’t Pay for IT Security and using very old system’s!"

What can be done? The American Public Transportation Association wrote a whole paper on the issue in 2014: Cybersecurity Considerations for Public Transit. It argues agencies must design hardware and software with multi-tiered network security systems like firewalls, email scanning and software updates. Agencies must make greater effort to keep facilities physically and digitally secure. An effort should be made to train all employees to spot and respond to cyberattacks. Of course, an effort requires funding, which is a chronic issue in nearly every major public transit system.