San Francisco-Area Commuters' Personal Data Exposed in Anonymous Hack
Modernizing Authentication — What It Takes to Transform Secure Access
Passengers who ride the San Francisco regional subway system are the latest innocent victims, as hacktivist collective Anonymous stole and released sensitive information belonging to more than 2,000 riders.
On Aug. 14, the loose-knit group of hackers breached MyBart.org, the Website commuters use to get information from the Bay Area Rapid Transit system. The names, street and email addresses and site passwords for about 2,400 people who'd registered with the Website were dumped on various torrent sites. Some database dumps also included phone numbers for many users. The attackers defaced the Website with Guy Fawkes masks.
The attack was in protest of two fatal shootings by the transit police and the regional subway authority's decision to temporarily suspend cell phone service in its stations, Anonymous wrote in a note. BART officials disconnected cellular antennas used at several San Francisco stations on Aug. 11 to disrupt plans for a demonstration protesting a fatal shooting of a passenger accused of throwing a knife at a transit officer July 3. No protest actually took place during the time the cellular link was down.
"A civil disturbance during commute times at busy downtown San Francisco stations could lead to platform overcrowding and unsafe conditions for BART customers, employees and demonstrators," BART officials said in an Aug. 12 statement. The suspension was for only a few hours and did not affect cellular service outside the stations, the officials said.
An earlier protest on July 11 had disrupted BART service in the evening. Organizers planned to use mobile devices to get the word out about the Aug. 11 demonstration and not with a "public announcement beforehand" to maintain the "element of surprise," the local-news site SFist reported.
The data breach victims had nothing to do with the decision to suspend the services or with the fatal shooting. "It is puzzling to me how exposing thousands of innocent people's personal information hurts BART more than it hurts transit users," Chester Wisniewski, a senior security advisor at Sophos, wrote on the Naked Security blog.
"It's just common sense that I shouldn't be the target, one of the victims whose details were included in the data dump told The Register, adding that he'd received a "creepy" phone call from a person claiming to be a member of Anonymous who uttered "foul language, hushed tones and threats."