Cyber Incident Victim: Metro Vancouver Transit Police

On or around May 31, 2023, the Metro Vancouver Transit Police publicly disclosed they had fallen victim to a global cyberattack. The incident did not involve a direct breach of the law enforcement agency's own internal network. Instead, the compromise was achieved through the exploitation of a security vulnerability contained within a third-party software application utilized by the agency. This software was identified as MOVEit, a file-transfer encryption product developed by the US-based company Ipswitch, Inc. The attackers targeted this specific software to gain unauthorized access to data.

The mechanism of the attack centered on a vulnerability within the MOVEit software itself. Threat actors identified and exploited this security flaw to access files that were being transferred or stored using the application. The Transit Police confirmed that through this method, the hackers were able to access a specific number of files. The agency stated that close to 200 files were involved, providing a precise figure of 186 files that were accessed by the unauthorized parties. This access was solely through the third-party file transfer system and did not extend into the Transit Police's core operational network.

Upon discovery of the incident, the Metro Vancouver Transit Police initiated a response. A primary immediate action was the application of a patch to the MOVEit software to repair the identified security vulnerability. The agency publicly stated that the software had since been patched and repaired, indicating that the known entry point used by the attackers had been closed. This action was part of the initial containment effort to prevent any further unauthorized access via the same method.

A significant and ongoing component of the response was the launch of a thorough internal review. The purpose of this review was to determine the exact nature and sensitivity of the information contained within the 186 files that were accessed by the attackers. This process was necessary to assess the potential impact of the data breach, as the contents of the files were not immediately known or detailed in the initial disclosure. The investigation aimed to catalog what specific data, whether pertaining to employees, operations, or the public, may have been exposed.

Concurrently, the agency assessed the operational impact of the cyberattack on its core law enforcement functions. The Transit Police provided a statement indicating that, based on their initial findings, there was no sign the cyberattack had impacted police investigations or prosecutions. This suggested that the compromised file transfer system was separate from the primary systems used for active police work, and that the integrity of ongoing investigations remained intact despite the breach of the ancillary file-sharing service.

The incident was not an isolated event targeting the Transit Police alone. Reports indicated this was part of a larger, global hacking campaign that exploited the same MOVEit software vulnerability. According to a CNN news report cited in the disclosure, several US federal departments were among the other victims of this widespread campaign. The US Department of Energy was specifically mentioned as having been affected. The scale of the campaign highlighted that the vulnerability in a commonly used third-party product had provided attackers with a vector to target multiple organizations across different sectors and international borders.

Attribution for the broader campaign was also discussed in the reporting. The CNN report stated that Russian hackers were identified as the first group to target the MOVEit vulnerability. This initial attribution pointed to a sophisticated threat actor, though the report also noted that other groups may have subsequently begun exploiting the same vulnerability. The Metro Vancouver Transit Police did not provide specific attribution for their own incident, focusing instead on the nature of the breach and their response actions.

The primary known impact of the incident for the Metro Vancouver Transit Police was the confirmed access of 186 files. The full consequences were pending the outcome of the thorough review to determine what specific information those files contained. The potential existed for the exposure of sensitive data, but the agency had not released details regarding whether the data involved personal information of employees, citizens, or pertained to internal agency operations. The fact that the files were accessed but not necessarily exfiltrated was not clarified in the initial statement.

The response actions therefore focused heavily on investigation and assessment. Containing the immediate threat by patching the software was the first step, followed by the detailed analysis of the compromised files to understand the scope of the data exposure. The agency would likely need to proceed with subsequent steps based on the findings of this review, such as providing notice to any individuals whose personal information was contained in the files, as required by privacy laws. However, these potential future actions were not detailed in the initial announcement.

The reliance on a third-party software vendor for secure file transfer introduced a specific risk vector that was exploited by the attackers. The incident underscored the cybersecurity challenges faced by organizations that integrate external software into their operations, as a vulnerability in that external product can directly impact the organization's security posture even if its own internal defenses remain robust. The Transit Police’s experience mirrored that of numerous other organizations caught in the same global campaign, all linked by their use of the vulnerable MOVEit application.

In summary, the Metro Vancouver Transit Police cyber incident was a case of a third-party software supply chain attack. Attackers exploited a vulnerability in the MOVEit file transfer tool to access 186 files. The agency responded by patching the software, launching an internal review to determine the nature of the exposed data, and assessing that core police operations were unaffected. The event was part of a larger international cyberattack that impacted numerous high-profile organizations, with initial reports attributing the campaign to Russian hackers. The full impact on the Transit Police was contingent on the findings of the ongoing review into the contents of the accessed files.