FINAL UPDATE: IB/OB 43 cleared at Presidio btwn Geary & Sutter. Regular service resuming. Expect residual delays. (More: 15 in last 48 hours)

Update on SFMTA Ransomware Attack

Monday, November 28, 2016

Updated 5:22 p.m., Monday, Nov. 28:

Thank you for your attention and patience as we restore our office computers from this weekend’s ransomware attack. We want to provide as much information as possible. To that end, below is a summary of the effects of the attack as we currently understand them.

On Friday, Nov. 25 we became aware of a potential security issue with our computer systems, including email. The malware used encrypted some systems mainly affecting office computers, as well as access to various systems. However, the SFMTA network was not breached from the outside, nor did hackers gain entry through our firewalls. Muni operations and safety were not affected. Our customer payment systems were not hacked. Also, despite media reports - no data was accessed from any of our servers.

In coordination with our partners at Cubic Transportation Systems, who operate Clipper®, we took the precaution of turning off the ticket machines and faregates in the Muni Metro subway stations, starting Friday until 9 a.m., Sunday. This action was to minimize any potential risk or inconvenience to Muni customers. The primary impact of the attack was to approximately 900 office computers. The SFMTA's payroll system remained operational, but access to it was temporarily affected. There will be no impact to employees' pay.

Upon discovering the malware, we immediately contacted the Department of Homeland Security (DHS) to identify and contain the virus. We are working closely with the FBI and DHS on this matter.

The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.

Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next day or two.

Update 7 a.m., Monday, Nov. 28:

On Nov. 25, the SFMTA was a victim of a ransomware attack. This cybercrime disrupted some of our internal computer systems including email. Transit service was unaffected and there were no impacts to the safe operation of buses and Muni Metro. Neither customer privacy nor transaction information were compromised.

The situation is now contained, and we have prioritized restoring our systems to be fully operational. 

As this is an ongoing investigation, it wouldn't be appropriate to provide additional details at this time.