TransLink staff have been told that a cyberattack early this month accessed personal banking information and other files, and is advising employees to sign up for credit monitoring.
In an internal email to employees at Coast Mountain Bus Company (CMBC) obtained by Global News Wednesday, staff were told the attackers “accessed and may have copied files from a restricted network drive” that contains payroll information for TransLink, CMBC and Metro Vancouver Transit Police employees, along with other network drives.
“Those restricted network drives include files that contain banking information and some social insurance numbers,” the email says.
The company says it is quickly working to determine exactly what files were accessed and identify the individuals affected. Those employees will be given a detailed description of what information has been compromised “as soon as possible.”
All employees are being urged to sign up for two-year credit monitoring, which is being provided through the workers’ union at no cost to staff.
Global News reached out to Translink on Wednesday evening, and heard back from Translink Spokesperson Ben Murphy via email, who confirms the information contained in the leaked email.
Murphy stresses that this is an issue of concern only to Translink employees, not customers.
“Importantly, as we outlined previously, TransLink does not store or have access to Compass customer fare payment information,” said Murphy. “We are now in the process of gradually bringing priority systems back online as safely as possible.”
The ransomware attack, which was first reported Dec. 2 and confirmed by the transit authority a day later, forced TransLink to shut down all of its online operations after sources said the entire database was breached earlier that week. Credit card tapping on Compass gates and non-cash payments at Compass vending machines were also temporarily disabled.
Ransomware is a type of malicious software that locks up a computer network or steals data. Attackers demand a ransom in exchange for unlocking the system or returning the data.
In the ransom letter sent to TransLink and obtained by Global News, the attackers say the transit authority’s network “has been ATTACKED, your computers and servers were LOCKED, your private data was DOWNLOADED.
“If you do not contact us in the next three DAYS we will begin DATA publication.”
The letter viewed by Global News does not specify a ransom amount, but goes on to claim that recovering the data and systems without paying the ransom will cost “hundreds of millions” of dollars.
TransLink took the position that it will not give in to the ransom demand, sources told Global News at the time.
The attack forced TransLink to pay employees through a cash advance after its payroll operations were suspended.
Metro Vancouver Transit Police says an investigation has been launched involving local and national cyber-crime experts.
–With files from Amy Judd and Simon Little