Cyber Incident Victim: Pierce Transit

On February 14, 2023, Pierce Transit, a public transportation service in Washington state, experienced a significant cyber incident in the form of a ransomware attack. This attack, which was later claimed by the LockBit ransomware group, forced Pierce Transit to implement temporary workarounds for certain administrative systems, disrupting their operations.

Pierce Transit, officially known as the Pierce County Public Transportation Benefit Area Corporation, is a public transportation service provider based in Tacoma, Washington. The company serves approximately 18,000 people daily in Tacoma and the surrounding Pierce County area. On February 15, 2023, a day after the attack, Pierce Transit reported a service disruption on Facebook, attributing it to a network issue causing an outage in their phone systems.

However, the full extent of the incident became clearer on March 1, 2023, when a Pierce Transit spokesperson provided more details to Komo News. The spokesperson confirmed that the company had experienced a ransomware incident that temporarily disrupted some agency systems. Upon detecting the breach, Pierce Transit's team swiftly took action to contain and isolate the threat. They engaged third-party forensic experts to conduct a comprehensive investigation into the nature and scope of the incident and notified law enforcement.

The spokesperson assured that all transportation services were operating normally, but temporary workarounds were necessary for affected administrative systems in the initial hours and days following the incident. By the time of the spokesperson's statement, the majority of operations had been fully restored.

The LockBit ransomware group, which has been active since at least 2019 and is believed to be a Russian-speaking entity, claimed responsibility for the attack. They demanded a substantial ransom of US$1,999,999 for either the destruction or return of the exfiltrated data, setting a deadline of February 28, 2023. According to LockBit, the stolen data included sensitive information such as postal correspondence, NDA agreements, personal data of customers, contracts, and more.

Pierce Transit, however, refused to pay the ransom, following the guidance of the US government and the FBI, which advise against paying ransoms in such cases. The rationale behind this advice is that if companies stop paying, the threat of ransomware attacks may diminish as cybercriminals realize that this strategy is no longer profitable.

LockBit has been a prolific threat actor in the past 12 months, conducting numerous attacks and also operating as a ransomware-as-a-service provider. They have claimed responsibility for high-profile attacks, including those against the Italian tax office and the bookstore chain WH Smith. Notably, LockBit has also been a significant threat in Australia, prompting the Australian Cyber Security Centre to issue an alert to Australian companies in response to a spike in LockBit ransomware attacks across the country.

In the case of Pierce Transit, the group made good on its threat to publish the stolen data after the ransom deadline passed without payment. This incident highlights the growing sophistication and audacity of ransomware groups, who are increasingly targeting critical infrastructure and essential services, such as public transportation, to maximize their leverage in ransom negotiations.

The impact of the attack on Pierce Transit's operations and customers was significant. While transportation services continued to run as normal, the temporary workarounds for administrative systems likely caused delays and disruptions in various back-end processes. These disruptions could have affected scheduling, maintenance, and other critical functions that rely on administrative systems.

Moreover, the breach of sensitive data, including personal information of customers, poses a serious risk of identity theft and fraud. The exposure of postal correspondence, contracts, and NDA agreements could also lead to legal and financial consequences for Pierce Transit and its partners. The company's decision not to pay the ransom, while in line with official guidance, may have been a difficult choice, as it potentially left them vulnerable to further data leaks and reputational damage.

The Pierce Transit incident is part of a broader trend of ransomware attacks targeting public transportation systems and critical infrastructure. In the past few years, similar attacks have disrupted transportation services in cities like San Francisco, Baltimore, and New York, causing significant operational challenges and highlighting the vulnerability of these essential services to cyber threats.

The increasing frequency and sophistication of these attacks underscore the urgent need for robust cybersecurity measures in the transportation sector. Transportation systems, which often rely on interconnected networks and digital technologies for efficient operations, are attractive targets for cybercriminals due to the potential for widespread disruption and the value of the data they hold.

To mitigate the risks, transportation organizations should prioritize cybersecurity by implementing comprehensive security frameworks, conducting regular security audits, and investing in employee training and awareness programs. Collaboration between transportation providers, cybersecurity experts, and law enforcement is also crucial in developing strategies to prevent, detect, and respond to cyber threats effectively.

In the aftermath of the Pierce Transit attack, the company has likely learned valuable lessons about the importance of cybersecurity and the potential consequences of a breach. By sharing their experience and best practices with other transportation providers, Pierce Transit can contribute to strengthening the overall resilience of the transportation sector against cyber threats.

The impact of the Pierce Transit cyber incident extends beyond the organization itself, serving as a stark reminder of the evolving nature of cyber threats and the need for constant vigilance. As cybercriminals become increasingly sophisticated and audacious, organizations must adapt their cybersecurity strategies and remain proactive in defending against potential attacks. By learning from incidents like the one at Pierce Transit, the transportation sector can work towards building a more secure and resilient digital infrastructure, ensuring the safety and continuity of essential services for the public.

The attack on Pierce Transit also raises broader questions about the role of government and law enforcement in addressing the growing threat of ransomware. While the US government and the FBI provide guidance and support to affected organizations, the effectiveness of these efforts depends on a coordinated and proactive approach. This includes not only responding to individual incidents but also investing in cyber defense capabilities, promoting information sharing among public and private entities, and fostering international cooperation to disrupt and deter cybercriminals.

In conclusion, the Pierce Transit cyber incident serves as a cautionary tale, highlighting the vulnerabilities of critical infrastructure to ransomware attacks and the potential consequences for both organizations and the public they serve. As cyber threats continue to evolve, it is imperative for transportation providers and other critical infrastructure operators to prioritize cybersecurity, collaborate with relevant stakeholders, and remain vigilant in the face of an ever-changing threat landscape. By doing so, they can better protect their operations, customers, and data, contributing to a more secure and resilient digital ecosystem.