Muni loses out on fares during ransomware attack

San Francisco transit officials have estimated that $50,000 in fare revenue was lost on the weekend of Nov. 26 because of a malicious software attack that prompted officials to shut off ticket vending machines and opening fare gates inside the Muni subway stations.

Paul Rose, spokesperson for the San Francisco Municipal Transportation Agency, said the revenue was lost when gates were left open for part of Friday and all of Saturday before reopening Sunday at 9 a.m.

Rose said on average, the transit agency brings in $120,000 on a weekend day.

He added:

“These estimates represent a relatively small fraction of our overall budget. Once we learned of the incident, our top priority was to ensure that our customers and employees were safe and secure.”

The SFMTA’s two-year budget approved earlier this year topped over $1 billion.

Last Friday, the SFMTA’s computer system was hit by a ransomware attack that affected office computers, internal computer systems and computers inside station agent booths.

As a precaution, the transit agency turned off ticket vending machines and fare gates, leaving them wide open for Muni subway riders to enter for free.

According to the Department of Homeland Security, a ransomware attack occurs when a person downloads the malicious software on their computer. The computer is then taken by person who created the ransomware. That person then will request a ransom in order to unlock the computer.

The person who got into the SFMTA’s computer system demanded the transit agency pay 100 bitcoin, about $73,000. The transit agency never paid the ransom.

Both DHS and the FBI are working with the transit agency in investigating the cyber attack, said Rose.

He said based on initial federal agencies findings, all information pointed to a network user clicking on link that contained the ransomware.

As of Thursday afternoon, Rose said most if not all computer systems are up and running while staff are still working on restoring a few internal computer programs.

Earlier this week, the person who allegedly took control of the SFMTA’s computer system was also hacked.

Brian Krebs, who writes about cyber crime on his website, “Krebs On Security,” said a security researcher had contacted him and told Krebs that they got into the hacker’s email account cryptom27@yandex.com.

It was same email account that appeared on SFMTA computer screens last weekend and the same email account where media outlets have been contacting someone identifying themself as Andy Saolis.

Rose assured the public and to the media that the alleged hacker did get not through the transit agency’s firewalls or breach any customer information:

“We continue to work with these agencies to fully investigate the incident and determine the specific details.”