Toronto subways hit by ransomware as US lawmakers slam ‘burdensome’ cybersecurity rules
The Toronto Transit Commission (TTC) — which runs the city’s public transportation system — reported a ransomware attack this weekend that forced conductors to use radio, crippled the organization’s email system and made schedule information on platforms and apps unavailable.
In a statement on Friday, the TTC said it confirmed it was the victim of a ransomware attack after its IT staff “detected unusual network activity and began investigating.”
“Impact was minimal until midday Friday, October 29, when hackers broadened their strike on network servers. The incident did not cause significant service disruptions, and there is no risk to employee or customers safety,” the TTC said.
Impacted services include the TTC’s Vision system, which is used for operators to communicate with Transit Control. Next vehicle information on platform screens, through trip-planning apps and on the TTC website, were unavailable and online wheel trans bookings were also unavailable.
It is unclear which ransomware group attacked Toronto’s system on Friday.
“The full extent of the attack is being looked into, and the TTC is working with law enforcement and cybersecurity experts on this matter. The City of Toronto’s IT services department has been consulted,” the TTC said in a statement.
The Record noted that this is the third ransomware attack on a major Canadian city’s metro system in the last year. Montreal’s system was hit in October 2020, and Vancouver’s was attacked in December 2020.
San Francisco, Sacramento, Fort Worth, Philadelphia and Ann Arbor have all seen ransomware attacks on their transportation systems over the last five years, and New York City’s MTA was hit with a cyberattack in April. A ransomware attack shut down ferry services in Cape Cod, Martha’s Vineyard and Nantucket in June.
Despite the recent attacks, lawmakers in the US are continuing to fight cybersecurity regulations handed down by the Department of Homeland Security, the Transportation Security Administration and CISA.
In a new letter to Department of Homeland Security inspector general Joseph Cuffari sent last Thursday, US Senators Rob Portman, Michael Rounds and James Lankford slammed the cybersecurity regulations again, calling them “unnecessarily burdensome requirements that shift resources away from responding to cyberattacks to regulatory compliance.”
The TSA and DHS pushed the new regulations this summer because companies involved in critical industries like transportation and gasoline routinely flouted voluntary cybersecurity rules and inspections. Colonial Pipeline, which was hit with a ransomware attack in May that left millions without gasoline for about a week, repeatedly pushed back cybersecurity reviews before it was attacked.
But now, the government agencies are facing backlash from these companies, cybersecurity experts and Republican leaders in the Senate, all of whom believe more time should have been spent working with those involved in cybersecurity before the new rules were handed down.
“We have received reports that TSA and CISA failed to give adequate consideration to feedback from stakeholders and subject matter experts who work in these fields and that the requirements are too inflexible,” the senators wrote in their letter.
“We are concerned that the recently issued security directives appear to depart from TSA’s historically collaborative relationship with industry experts.”
They go on to ask that DHS review each new regulation and provide explanations and legal justifications for all of the cybersecurity rules. They demanded a response in 120 days.
While some have questioned the partisan nature of the demands, many cybersecurity experts have also raised concerns about the rules from a technical standpoint, noting that they could have been more focused if TSA had worked with experts more closely.