The Greater Richmond Transit Company was hacked twice in four months, the organization confirmed this week. It had not publicly disclosed one of those incidents.
A database that compiles ransomware attacks listed the incidents: one reported in December 2023 and one in February 2024. A GRTC spokesperson confirmed the first breach happened over Thanksgiving weekend last year.
“Around Thanksgiving, GRTC experienced a computer network disruption that temporarily impacted certain applications and parts of the GRTC network,” spokesperson Henry Bendon wrote at the time of the initial breach. “In response, our IT staff quickly discovered and restored our computer network. All services are currently running as scheduled and GRTC does not expect any additional disruptions for riders at this time.”
Sara Sendek, a cybersecurity expert with FTI Consulting, didn’t speculate on reasons for an attack on GRTC’s network, but said cyberattacks on local governments and public services have become more common in recent years.
“State and local governments have been increasingly one of those targets, in addition to hospitals and school districts … where cyber criminals might feel they're more likely to pay if [the attack is] disruptive enough,” Sendek said.
She said cybercriminals are generally out for monetary gain — whether that’s a direct ransom payment or through accessing sensitive information.
The Record, a digital media outlet that covers cybersecurity, first reported the November 2023 breach and noted a range of other public transit systems had been targeted.
A 2023 report by the FBI’s Internet Crime Complaint Center indicated it “received 2,825 complaints of ransomware attacks” that year. More than 40 of the organizations that were targeted were “transportation systems.”
The report also said attacks have almost doubled since 2019.
Each part of state and local government has “different levels of security,” Sendek said.
“[C]yber criminals are relentless,” she continued. “They'll look for any sort of exploit, any way in. They're constantly just searching and scanning, and looking for some way to get in and target any organization that they think they have a chance to make money off of.”
Sendek said sharing information among localities and organizations can be beneficial following a breach.
Bendon told VPM News GRTC followed protocol to restore security in both instances of the organization being breached. He declined to specify what GRTC’s protocol following an attack is, but said the bus system hasn’t had major service disruptions because of a cybersecurity issue — though live tracking of buses had been interrupted previously.
A spokesperson for the FBI’s Richmond field office declined to say if it had investigated the GRTC cyberattacks, citing U.S. Department of Justice policies.