Metrolinx making 'significant investments' to protect Presto from hackers

The Presto transit fare card used by millionsof riders in Toronto, Hamilton and Ottawa is not immune to the type of cyberattack that crippled San Francisco's transit agency last weekend, according to IT security experts and Metrolinx.

Hackers took down the Munitransit system's computers,rendering its fare-payment cards useless, so San Francisco transit officials were forced to let commuters ride for free.

The culprits used ransomware, a type of malicious software designed to extort money from the computer system's owner. Ransomware locks or encrypts a system's data, making it impossible to use, and the hackers demand payment to restore access.

• Hackers demand ransom from San Francisco transit system
• Carleton University computers held hostage for bitcoin
• Crash of provincial literacy test blamed on 'malicious' cyberattack

It's the kind of thing that could happen not only tothe Presto system, but to any computerized aspect of transit, such as dispatching, GPS tracking and track signals.

"If we said,'It could never happen here,'then you would leave yourself very vulnerable," said Anne MarieAikins, spokesperson for Metrolinx, the agency that manages the Presto card, as well as GOTransit and the Union-Pearson Express.

"Any kind of attack can happen anywhere," Aikins said Tuesday in an interview with CBC Toronto. "One of the most important things to protecting yourself is to acknowledge that every system is vulnerable and then to protect yourself as best you can."

AttyMashatan, an assistantprofessor of information technology management atRyersonUniversity, agrees that ransomware can attack any computer system that's not properly protected, and transit agencies are no exception.

"It's no longer a matter of ifan organization is going to be hit by ransomware, it's when they'll be hit and affected," said Matashan in an interview. "And when it happens, are they prepared and ready or not?"

The San Francisco transit attackers demandedransom in the digital currency Bitcoin worth about $73,000 (US).

There have been no public reports of such attacks on Canadiantransit systems, but post-secondary institutions have been hit. On Tuesday, Carleton University warned students that ransomware messages were appearing on computers logged into its system.

The University of Calgarypaid $20,000 in response to a ransomwarecyberattack on its computer systems earlier this year. Memorial University of Newfoundlandfaced a small-scale ransomware attack just last month.

Other ransomware attackshave hit hospitals in Ontario,law firms in B.C.and even ordinary Canadian families,

Ransomware "clearly is a growth industry," said Robert Hudyma, an associate professor at Ryerson's School of Information Technology Management. "The attackers can come from anywhere in the world."

Anytransit system using technology similar toSan Francisco's would be vulnerable,Hudymasaid, but companies can lessen their vulnerability with state-of-the-art design of their IT systems. "It wouldn't be hacker-proof but it would be resistant to hackers," he said.

• What you need to know about ransomware

Metrolinx has made "significant investments"in IT security, saidAikins, and has added roles in its organization to stay on top of cyber risks as they evolve. "You have to make sure you're armed against all the ways [hackers]couldimpactyourservice,"shesaid.

She said Metrolinx staff heard about the San Franciscocyberattackas it was happeningand stand to learn lessons from it.

Metrolinx says more than twomillion customers are using Presto cards on GO Transit, Toronto's TTC, Ottawa's OCTranspo, and the local transit services in such locations as Hamilton,Mississauga, York Region and Durham Region.