Hackers leaked hundreds of thousands of sensitive files from San Francisco’s transit police department, including child abuse records, in a suspected ransomware attack.
The hacking group published 120,000 files stolen from the San Francisco Bay Area Rapid Transit System (BART) Police department. NBC News reported that the incident did not disrupt internal systems, and authorities had launched an investigation.
Hackers exposed child abuse and mental health files from transit police department
The Vice Society hacking group listed BART on its data leak site and published a collection of 120,000 files. The files include unredacted reports detailing suspected child abuse, including the children’s names and birth dates, and in some cases, the descriptions of the adult and the alleged child abuse incident.
The leak also exposed mental health record forms that the transit police department could use to recommend someone for mental health evaluation, reports linking named suspects to various crimes, BART contractors’ names and driver’s license numbers, and recruitment candidates’ documents.
BART’s chief communication officer Alicia Trost told NBC News officials were investigating the suspected ransomware attack.
Although Trost withheld the identity of the group responsible for the ransomware attack pending an ongoing investigation, she clarified that the incident did not impact BART’s internal systems.
Sometimes, ransomware groups steal sensitive data without encrypting devices since many organizations can easily restore systems from backups without paying a ransom. Additionally, organizations have learned that paying a ransom rarely guarantees the recovery of encrypted data. However, the damage caused by publishing sensitive data online, such as the transit police department’s investigation files, could be irreparable, thus influencing an organization’s decision to pay.
BART did not disclose how the hackers gained access or if the transit police department was the sole target of the suspected ransomware attack.
Vice Society claims responsibility for BART ransomware attack
Vice Society, an established group of ransomware hackers, listed BART on its dark web data leak site, suggesting that it was responsible for the attack.
Like other groups that attack specific organizations, Vice Society is responsible for multiple ransomware attacks on US public sector organizations.
“Unfortunately, public sector organizations tend to be at higher risk for a breach,” said Avishai Avivi, CISO at SafeBreach. “The challenge of attracting cybersecurity talent, combined with constrained budgets, typically correlates with a lagging cybersecurity program. Public sector organizations are also less likely to have the option of paying the ransom that the malicious actors are demanding.”
Rail systems have experienced increased cyber attacks from multiple APT groups
In April 2021, a group of state-sponsored Chinese hackers compromised New York City’s Metropolitan Transportation system by exploiting software vulnerabilities. The attack was the third cyber incident to affect North America’s largest rail system.
Similarly, Santa Clarita Valley Transportation Authority suffered a ransomware attack in the same month, while the Southeastern Pennsylvania Transportation Authority reported a similar attack in 2020.
In May 2022, the Transportation Security Administration (TSA) issued directives addressing persistent cyber-attacks on surface transport systems.
Threat actors have also repeatedly targeted police departments and leaked sensitive information that could jeopardize investigations and put victims and witnesses at risk.
The San Francisco Bay Area Rapid Transit police department’s leak occurred just weeks after Ragnar Locker published sensitive data, including child abuse photos, from Belgian’s Zwijndrecht police unit.
According to Avivi, threat actors have little regard for people whose information is stored in the leaked files. He advised public sector organizations to utilize CISA’s free cybersecurity services and follow its guidelines.
“No public sector organization can assume that they are not a target,” he said.
Roger Grimes, a data-driven defense evangelist at KnowBe4, said that the incident proved hackers have no ethics and only care about money.
“This continues to show that many hackers have zero ethics and do not care about anything else other than money. But once a hacker has access to an environment, they can do anything. That’s why it’s more important than anything else to stop the breach before it happens.”