Commenting on the news that San Francisco’s transport agency has been hacked resulting in customers being able to travel for free, Mishcon de Reya Cyber Security Lead Joe Hancock said:
“This attack is intended to extort money from the San Francisco Municipal Railway by denying access to ticket machines, e-mail and personnel systems. The hackers have encrypted over 2000 machines and demanded 100 bitcoin, showing this to be a larger scale attack others we have seen – usually it’s limited to just a few machines and 1 or 2 bitcoins per system.
“The attack has allowed passengers to ride for free in order to keep the railway running, and calls into question security and safety more widely. If the ransom is paid, it’s likely we’ll see other similar attacks with these real world consequences in 2017. Regulation around anonymous crypto currencies – like bitcoin – may now become a priority: removing the ability to receive anonymous payments will stop many of these criminal attacks, and should be a focus for government.
“There has been no mention of safety or railway operations being affected, suggesting the Municipal Transportation Agency (Muni) has older, analogue systems. Given that transport systems worldwide are being upgraded to Digital systems, especially for signalling, the next attack of this kind has the potential to stop trains or impact passenger safety.
“Businesses need to be resilient to these attacks. In the case of Muni, it’s positive that trains have kept running, even when the systems are under attack. For many businesses, a hack of this scale would mean shutting up shop for a few days. Despite the measures that are in place, the reputational fallout could be enough to stop those passengers with another option from using this public transport: with over 600,000 daily riders, Muni is dependent on its fares to operate. This attack could call the security in lots of transport sectors – such as airlines and shipping – into question.
“There is likely to be a greater uptake in Business Interruption coverage through Cyber Insurance, which has been on offer from insurers for a while with limited uptake. In light of these events, we would expect this to change. Businesses which rely on physical operations should review their cyber risks, as much as those that rely on eCommerce or digital channels.”
(127)
