Cyber Incident Victim: Metro Mobility

In June 2019, Metro Mobility, a Twin Cities transit service for people with disabilities, experienced a data breach involving unauthorized access to an employee's email account. The intrusion occurred over a two-month period between June 13 and August 14, 2019, when the breach was discovered. During this timeframe, an external attacker compromised the email system and potentially accessed sensitive personal information belonging to approximately 15,000 customers. The exposed data included rider names, specific pickup and drop-off addresses, scheduled ride times, and special instructions provided to drivers regarding passenger needs. This information could potentially reveal patterns of movement and sensitive details about riders' disabilities or medical requirements through the special instructions field. The breach duration of 62 days allowed extensive access to operational communications containing this personal data.

Metro Mobility initiated customer notifications following the August 14 discovery of the breach, with public disclosure occurring through media reports on September 6, 2019. The organization confirmed the breach stemmed specifically from email account compromise rather than a broader system intrusion. While the notification confirmed potential exposure of personal information, no evidence suggested misuse of the data at the time of disclosure. The incident exposed vulnerabilities in employee account security that enabled prolonged unauthorized access to sensitive rider information. Metro Mobility's response focused on direct customer notification but did not publicly detail additional containment measures, forensic findings, or security enhancements implemented post-breach. The compromised data lacked financial information but created privacy risks through exposure of transportation patterns and disability-related details for a vulnerable population.