Printed ransom note asked TransLink for $7.5 million in December cyberattack
Published Thursday, April 15, 2021 12:56PM PDT Last Updated Friday, April 16, 2021 8:19AM PDT
VANCOUVER -- CTV News Vancouver has learned the hackers who ground TransLink’s payment systems to a halt in December were asking for approximately $7.5 million.
According to FOI documents, the hackers were not paid the money.
“There is no guarantee that the cyberattackers would keep confidential any data that they accessed,” TransLink said in its response to the FOI request from CTV News.
TransLink also confirmed the hackers accessed personal information of employees, including some former and retired, and a limited number of employees’ spouses. They did not say how many had their information stolen, only that all affected individuals received a notification letter by mail.
According to the FOI response, the restricted network drive the hackers accessed contained sensitive personal information, including some banking information and social insurance numbers. However, according to documents, there is “no evidence” Compass Card customer payment information was accessed during the attack.
The ransom note from the attackers was received through TransLink’s printers, according to the transit provider.
TransLink withheld a copy of the note in its response to the FOI request, arguing it was necessary to do so “due to the nature of the investigation and ongoing work on this file.”
The investigation began on Dec. 1, when TransLink tweeted about looking into an issue “affecting some of our information technology systems.”
It ultimately resulted in the suspension of some modes of payments for passengers. The company said at the time it had disabled the services out of an abundance of caution. This meant vending kiosks accepted cash only to load fares or purchase single tickets. The payment issues meant problems for most people trying to board without having a pre-loaded compass card.
During the second day of the ransomware attack, Translink confirmed it had lost its communications systems, meaning the company was “unable to track buses.”
Today, more than four months later, the company's real-time next bus application is still shut down, displaying only scheduled departure times, rather than live information.
TransLink spokesperson Jill Drews confirmed to CTV News that the real-time data is still down, and said she was unable to provide an estimated time for when it would be restored.
"Our IT staff and external experts are inspecting everything on the servers to determine what was accessed and what wasn’t," Drews explained in an email. "They’re also making sure each piece is clean and safe to bring up again. This is an intensive process that will take time. … The team is working as quickly as possible given the circumstances."
TransLink is recommending that customers use Google Trip Planner as an alternative, Drews said.