The Kansas City Area Transportation Authority (KCATA) announced it was targeted by a ransomware attack on Tuesday, January 23.
KCATA is a bi-state public transit agency serving seven counties of Missouri and Kansas, operating 78 bus routes and 6 MetroFlex routes using a fleet of 300 buses. The company reports that 10.5 million people use their services in a year.
On Wednesday, the organization announced that it suffered a ransomware attack that impacted all its communication systems.
“A ransom cyber-attack hit the KCATA early Tuesday, January 23. We have contacted all appropriate authorities, including the FBI,” reads the announcement.
“The primary customer impact is that regional RideKC call centers cannot receive calls, nor can any KCATA landline.”
The announcement provides alternative phone numbers for Freedom and Freedom-On-Demand Paratransit customers who need to schedule a trip.
Despite the disruption in call centers, KCATA routes are still working as usual, so passenger transit operations haven’t been impacted.
“All service is operating, including fixed-route buses, Freedom and Freedom-On-Demand paratransit service,” explained KCATA.
Logging in to ridekc.org and using the transit app to receive bus schedule information also work normally.
“KCATA is working around the clock with our outside cyber professionals and will have systems back up and running as soon as possible,” concludes the announcement.
A significant concern in ransomware incidents is the possibility of data theft, including personal and payment details of customers, which in this case would expose many people using KCATA services.
The agency has not elaborated on the possibility of registered members and pass holders having had their sensitive information exposed to cybercriminals.
Update 1/27 – Medusa ransomware claimed responsibility for the attack on KCATA, and posted data samples allegedly belonging to the organization on their extortion portal on the dark web.
The threat actors have given KCATA 10 days to negotiate a resolution, and their financial demands were set to a payment of $2,000,000.
Also, Medusa offers the option to extend the deadline for making the stolen data available to the public, for $100,000/day.