Cyber Incident Victim: Sacramento Regional Transit system

The Sacramento Regional Transit (SacRT) system experienced a cyberattack beginning on November 18, 2017, when hackers defaced the agency’s main webpage with a message claiming they intended to help fix vulnerabilities. The following day, attackers escalated their activities by erasing data from some of SacRT’s virtual servers and sent a Facebook message demanding one bitcoin (approximately $8,000 at the time) to cease further attacks. SacRT declined to pay the ransom or communicate with the hackers, opting instead to take all systems offline to assess the extent of the damage, investigate the intrusion methods, and initiate restoration from backups. The agency disabled its website homepage and suspended credit card processing for Connect Cards—prepaid fare cards—as a precautionary measure until they could confirm the attackers could not access payment systems. Internal operational programs on servers were partially erased during the attack, though no evidence indicated data exfiltration or theft.

SacRT restored public-facing services progressively, with the website returning online and fare vending machines regaining functionality shortly after the incident. Connect Cards also resumed normal operation, though online account access remained restricted during recovery. The agency’s mobile fare application, hosted on a separate cloud-based system, was unaffected. Light rail and bus services continued without disruption throughout the event. SacRT technicians worked to fully restore internal systems while engaging external cybersecurity experts to audit vulnerabilities and implement hardening measures. The attackers’ focus on disruptive actions rather than data theft differentiated this incident from ransomware attacks, such as the one targeting the San Francisco Municipal Transportation Agency approximately a year earlier. That prior attack involved the same threat actors attempting extortion against multiple U.S. organizations.