Lisa Walton, chief technology officer at the San Francisco Municipal Transportation Agency, works at her desk at SFMTA headquarters on Tuesday. (Jessica Christian/S.F. Examiner)

Lisa Walton, chief technology officer at the San Francisco Municipal Transportation Agency, works at her desk at SFMTA headquarters on Tuesday. (Jessica Christian/S.F. Examiner)

Muni’s tech expert reveals details of harrowing ransomware attack

The Friday after Thanksgiving, Muni’s top tech guru reclined in her pajamas in her Nob Hill home, playing a game of “Bubble Pop” on her iPad.

That’s when Lisa Walton, chief technology officer for the San Francisco Municipal Transportation Agency, received the email — Muni had been hacked.

“I was immediately drawn to the fact that it looked like a virus,” Walton told the San Francisco Examiner on Tuesday, in the first official recounting of the behind-the-scenes battle to fight back against the malicious software attack that struck on Thanksgiving weekend.

“Bubble Pop” would have to wait.

Walton headed to SFMTA headquarters to assess the problem.

“At that point, we went into ‘identify and contain’ mode,” she said.

By that time, a software pirate had splashed a message — “You Hacked, ALL Data Encrypted. Contact For Key(cryptom27@yandex.com)ID:681 ,Enter.” — across many SFMTA computers, some of which were visible at train stations throughout The City.

According to the alleged “hacker,” an employee at the SFMTA had mistakenly downloaded malicious software, known as ransomware, designed to scoop up important data and hold it under a digital lock and key for money. The “hacker” demanded 100 Bitcoin, a digital currency, which translates to about $73,000.

Walton contacted SFMTA management, and the agency contacted the FBI and the Department of Homeland Security.

One of the first priorities was restoring computers at Muni division yards, where buses are deployed. For the weekend following the attack, Muni operators told the Examiner they were assigned buses by handwritten paper — far afield from their usual computer printouts.

Muni service wasn’t affected, though the agency opened fare gates and shut down its train fare systems, so they were isolated from the potential spread of the malware.

All told, the SFMTA estimates it lost $50,000 in revenue from two days of free train rides during the attack.

Walton also assembled her teams specializing in networks, servers and desktops, which amounted to about 15 people.

“We went into disaster recovery mode,” she said. “Even if something wasn’t overtly affected, we needed to make sure, regardless.”

The team went to work fixing most of the SFMTA’s 8,000 computer systems remotely from their offices on Market Street. Using backup copies of the computer hard drives, they “re-imaged” most of the computers by the following Monday, Nov. 28.

A few stragglers — laptops taken home for the weekend or ones they missed at bus yards — took until the following Wednesday to fix. By then, the process was complete.

The SFMTA said previously it never intended to pay the ransom, but in Tuesday’s interview, Walton gave further illumination as to why.

“The hacker kept saying [they were ransoming] 32 gigabytes of data. That’s nothing,” Walton said. A gigabyte is a unit of measure concerning file sizes in computer storage. “We have 26 data stores at 300 [gigabytes] a piece,” she said, and “that’s just email.”

Still, Walton added, “We were being cautious, we didn’t take anything for granted.”

Transit

If you find our journalism valuable and relevant, please consider joining our Examiner membership program.
Find out more at www.sfexaminer.com/join/

Just Posted

A health care worker receives the Moderna COVID-19 vaccine. (Go Nakamura/Getty Images/TNS)
City sets ambitious goal to vaccinate residents by June

Limited supply slows distribution of doses as health officials seek to expand access

U.S. President-elect Joe Biden and Jill Biden arrive at Biden's inauguration on the West Front of the U.S. Capitol on January 20, 2021, in Washington, DC.  (Win McNamee/Getty Images/TNS)
Joe Biden issues call for ‘unity’ amidst extreme partisan rancor

‘I will be a president for all Americans,’ he says in inauguration speech

MARIETTA, GA - NOVEMBER 15: Democratic U.S. Senate candidates Jon Ossoff (R) and Raphael Warnock (L) of Georgia taps elbows during a rally for supporters on November 15, 2020 in Marietta, Georgia. Both become senators Wednesday.  (Jenny Jarvie/Los Angeles Times/TNS)
Vice President Harris swears in senators Padilla, Warnock, Ossoff

New Democratic senators tip balance of power in upper legislative house

The charismatic Adarsh Gourav, left, and Priyanka Chopra Jonas star in “The White Tiger,” Ramin Bahrani’s adaptation of the novel by Aravind Adiga.<ins> (Courtesy Netflix)</ins>
‘White Tiger’ takes in-depth look at India’s caste system

‘Identifying Features’ depicts human effects of Mexico’s drug wars

President Joe Biden plans to sign a number of executive orders over the next week. (Biden Transition/CNP/Zuma Press/TNS)
Biden signals new direction by signing mask order on his first day in office

President plans ambitious 10-day push of executive orders, legislation

Most Read