Société de transport de Montréal

The Société de transport de Montréal (STM) is the public transit agency responsible for operating the bus and metro networks serving the city of Montreal, Quebec, Canada. Its core mandate includes providing daily public transportation services to residents and visitors, managing the infrastructure and fleet necessary for these operations, and offering an adapted transit reservation system for users with reduced mobility. The agency's scope is concentrated on the metropolitan area of Montreal, functioning as the primary entity for public transit within that municipal jurisdiction. The scale of its operational footprint is evidenced by its significant information technology infrastructure, which supports critical transit functions. A major cybersecurity incident in 2020 involved approximately 1,000 servers, with 624 of these deemed operationally critical, underscoring the substantial digital backbone required to manage a complex urban transit system.

The STM demonstrated notable resilience and incident response capabilities during the ransomware attack that commenced on October 19, 2020. The attack vector was a phishing email, and the ransomware variant shared similarities with RansomExx, with attackers demanding a $2.8 million ransom which the agency refused to pay. Crucially, the attack did not result in any data exfiltration, and core bus and metro services remained operational throughout the disruption, highlighting effective business continuity planning. The incident primarily disrupted the adapted transit reservation system and internal IT systems, but employee payments proceeded nearly normally and supplier payments were completely unaffected, indicating robust financial and administrative segregation. Systems were restored progressively, with the reservation service returning within days and the majority of the affected servers recovered in the subsequent period. This event illustrates the STM's capacity to withstand a significant cyber incident without compromising essential public services or financial obligations, and without acquiescing to extortion demands.