Cyber Incident Victim: TransLink
Date:
Dec 2020
Location:
Canada
Summary
A ransomware attack targeted Vancouver's public transportation agency, disrupting fare payment systems and disabling metro card usage and ticket kiosks, though transit operations remained unaffected. The Egregor ransomware strain compromised IT infrastructure, with attackers delivering ransom demands through printers—a tactic previously linked to an affiliate group. The agency initially characterized the disruption as technical issues before confirming the cyberattack following media reports. While services like Tap to Pay were restored, forensic investigations continued to determine potential data exfiltration, though payment details were reportedly not stored and thus not compromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
A ransomware attack significantly disrupted TransLink, Vancouver's public transportation agency, beginning on December 1, 2020. The incident initially manifested as technical issues affecting Compass metro card functionality and ticket kiosk payments, leading to service interruptions for passengers. TransLink publicly characterized the problem as a prolonged technical outage until journalists from CITY NEWS 1130 uncovered evidence of a ransomware incident, compelling the agency to acknowledge the attack. CEO Kevin Desmond confirmed the breach in a statement released after the media report, disclosing that attackers had compromised portions of TransLink's IT infrastructure. The assailants delivered their ransom demand by transmitting it to the agency's printers, a tactic documented by local reporters who obtained a copy of the note. Forensic analysis of the ransom note identified the malware as a variant of the Egregor ransomware, consistent with the operational patterns of an affiliate group associated with the Egregor Ransomware-as-a-Service operation. This group had previously employed identical printer-based ransom delivery methods during an attack on Cencosud, a South American retail chain.
TransLink restored partial functionality to its Compass kiosks following the attack, enabling passengers to utilize Tap to Pay features at fare gates. The agency emphasized that transit operations, including bus and rail routes, remained unaffected throughout the incident. Egregor operators typically exfiltrate data prior to file encryption, but TransLink's forensic investigation remained ongoing at the time of reporting, preventing definitive confirmation of data theft. Desmond stated that payment card information was not at risk due to TransLink's policy of not storing such sensitive data. The incident underscored operational vulnerabilities in ticketing systems while maintaining core transportation services. Restoration efforts focused on compromised IT infrastructure, though the full scope of impacted systems beyond ticketing platforms was not detailed in public statements. No further details regarding ransom negotiations, payment demands, or data recovery timelines were disclosed by TransLink officials in the immediate aftermath.