Cyber Incident Victim: Los Angeles Metro

On Monday, March 16, 2026, the Los Angeles Metro’s security team discovered unauthorized activity on its internal computer systems and promptly limited employee access to many administrative computers. The agency stated that the detection occurred the previous week, prompting a proactive containment measure. Officials emphasized that the action was taken to prevent further spread while preserving essential rail and bus operations. Metro’s transit safety and security systems remained online throughout the initial response. The agency’s board member later described the effort as a painstaking process to verify each system before restoration.

By the week of March 20, 2026, the restriction of internal systems expanded to a shutdown of several customer‑facing services, causing digital arrival boards to go blank and preventing commuters from loading funds onto TAP cards online or at ticket kiosks. Riders reported being unable to complete payment attempts at machines and on their phones, leading Metro to advise adding funds at vending machines where possible. The agency confirmed that train and bus schedules continued unaffected and that rider safety was not compromised. Metro also stated that no customer or employee data had been accessed or stolen during the incident.

In response, Metro began reviewing approximately 1,400 servers individually to ensure each was free of malicious code before restoring access, a process described by a board member as necessary given the agency’s size. Law enforcement and cybersecurity specialists continued to investigate the origin and scope of the breach, though officials had not identified the attackers or determined what data, if any, had been targeted. Throughout the investigation, Metro maintained that its core transit services operated without interruption.