Cyber Incident Victim: Société de transport de Montréal

On October 19, 2020, the Société de transport de Montréal (STM) experienced a ransomware attack that disrupted its network operations. The attack compromised approximately 1,000 of the agency’s 1,600 servers, including 624 classified as operationally sensitive. Primary impact centered on STM’s reservation system for adapted transit services, which was forced offline. The incident did not affect Montreal’s bus and metro operations, and no data exfiltration occurred. After over a week without communication, the attacker contacted STM to demand a US $2.8 million ransom for restoring network access. STM publicly refused the demand on October 30, reaffirming its non-compliance stance. By October 25, the paratransit reservation system had been fully restored. As of October 29, 77% of affected servers had been recovered. Employee payroll processing for 11,000 staff proceeded with minimal disruption, while supplier payments remained unaffected throughout the incident.

Initial investigative findings indicated the attacker gained network access through a phishing email. STM characterized the ransomware’s behavior as similar to RansomExx but withheld further technical details pending the ongoing investigation. Recovery efforts prioritized restoring critical operational systems while maintaining public transit services. One week post-incident, a separate ransomware attack targeted CIUSSS du Centre-Ouest-de-l'Île-de-Montréal, a regional health agency, though no evidence linked the two events. The health agency implemented containment measures including network disconnections and remote access restrictions. STM continued server restoration and forensic analysis without disclosing additional attacker tactics or potential security control enhancements.