Metrolinx making 'significant investments' to protect Presto from hackers

The Presto transit fare card used by millions of riders in Toronto, Hamilton and Ottawa is not immune to the type of cyberattack that crippled San Francisco's transit agency last weekend, according to IT security experts and Metrolinx.

After ransomware attack shuts down San Francisco's transit computers, Metrolinx admits every system vulnerable

With the growth of ransomware attacks on computers, including San Francisco's transit system last weekend, Metrolinx acknowledges that its computers and the Presto card system are as vulnerable to an attack as any other.

The Presto transit fare card used by millions of riders in Toronto, Hamilton and Ottawa is not immune to the type of cyberattack that crippled San Francisco's transit agency last weekend, according to IT security experts and Metrolinx.  

Hackers took down the Muni transit system's computers, rendering its fare-payment cards useless, so San Francisco transit officials were forced to let commuters ride for free. 

The culprits used ransomware, a type of malicious software designed to extort money from the computer system's owner. Ransomware locks or encrypts a system's data, making it impossible to use, and the hackers demand payment to restore access.

It's the kind of thing that could happen not only to the Presto system, but to any computerized aspect of transit, such as dispatching, GPS tracking and track signals.  

"If we said, 'It could never happen here,' then you would leave yourself very vulnerable," said Anne Marie Aikins, spokesperson for Metrolinx, the agency that manages the Presto card, as well as GO Transit and the Union-Pearson Express.

"Any kind of attack can happen anywhere," Aikins said Tuesday in an interview with CBC Toronto. "One of the most important things to protecting yourself is to acknowledge that every system is vulnerable and then to protect yourself as best you can." 

Atty Mashatan, an assistant professor at Ryerson University's School of Information Technology Management, says it's a question of when, not if, an organization will suffer a cyber attack. (photo supplied)

Atty Mashatan, an assistant professor of information technology management at Ryerson University, agrees that ransomware can attack any computer system that's not properly protected, and transit agencies are no exception.

"It's no longer a matter of if an organization is going to be hit by ransomware, it's when they'll be hit and affected," said Matashan in an interview. "And when it happens, are they prepared and ready or not?"  

The San Francisco transit attackers demanded ransom in the digital currency Bitcoin worth about $73,000 (US).

There have been no public reports of such attacks on Canadian transit systems, but post-secondary institutions have been hit. On Tuesday, Carleton University warned students that ransomware messages were appearing on computers logged into its system.   

The University of Calgary paid $20,000 in response to a ransomware cyberattack on its computer systems earlier this year. Memorial University of Newfoundland faced a small-scale ransomware attack just last month.

Other ransomware attacks have hit hospitals in Ontariolaw firms in B.C. and even ordinary Canadian families

Hackers took down San Francisco's Muni transit system's computers last weekend, rendering its fare-payment cards useless, so transit officials were forced to let commuters ride for free. (Shutterstock)

Ransomware "clearly is a growth industry," said Robert Hudyma, an associate professor at Ryerson's School of Information Technology Management. "The attackers can come from anywhere in the world." 

Any transit system using technology similar to San Francisco's would be vulnerable, Hudyma said, but companies can lessen their vulnerability with state-of-the-art design of their IT systems. "It wouldn't be hacker-proof but it would be resistant to hackers," he said.  

Metrolinx has made "significant investments" in IT security, said Aikins, and has added roles in its organization to stay on top of cyber risks as they evolve. "You have to make sure you're armed against all the ways [hackers]could impact your service," she said.

She said Metrolinx staff heard about the San Francisco cyberattack as it was happening and stand to learn lessons from it. 

Metrolinx says more than two million customers are using Presto cards on GO Transit, Toronto's TTC, Ottawa's OC Transpo, and the local transit services in such locations as Hamilton, Mississauga, York Region and Durham Region.


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.