Muni works to put price tag on weekend hack attack

San Francisco Municipal Railway fare systems are back up and running but crews are still working Monday to recover from an attack by hackers that resulted in many Muni riders getting free rides on Friday and Saturday.

The attack using ransomware software occurred Friday, when fare machines at all underground Muni stations began to display the message:

“You hacked, ALL data encrypted.”

The message included an email contact.

While all fare machines were back to normal by Sunday, the hackers have reportedly demanded a ransom to unencrypt affected computers and threatened to release agency data.

San Francisco Municipal Transportation Agency spokesman Paul Rose said the agency had restored around 75 percent of the affected computers as of the end of Sunday and hoped to have that to 100 percent by the end of today.

Rose emphasized that transit service and system safety were never compromised during the attack.

In addition, the agency has been working with the Department of Homeland Security and does not believe the hackers have access to any critical data including customer or employee personal data.

Rose said:

“We never even considered paying the ransom nor do we intend to do so.”

Investigators do not think the incident was caused by a targeted hacking attack, but rather by someone within the SFMTA system unwittingly clicking on a link in an email or on a web site that downloaded the ransomware software.

The attack affected internal computer systems including email and part of the payroll system, but “never breached our firewall,” Rose said.

Muni officials are still working to calculate the full cost of the incident in terms of lost fares and repair costs, and are working with the FBI to help identify the hackers.