Greater Richmond Transit Company (GRTC) experienced two cyber attacks

The Greater Richmond Transit Company (GRTC) experienced two cyber attacks within a four-month span between late 2023 and early 2024.

Here's a breakdown of the information available:

First Cyber Attack - November 2023 (Around Thanksgiving):

• Timeline: The attack occurred around the Thanksgiving holiday in November 2023.¹
• Impact: It caused a temporary disruption to GRTC's computer network, affecting certain applications and parts of their network.²
• Ransomware: The "Play" ransomware group claimed responsibility for this attack.³ They listed GRTC on their data leak site and gave a deadline of December 13, 2023, to pay an undisclosed ransom.⁴
• Data Compromise: The Play ransomware group claimed to have stolen "private and personal confidential data, clients documents, budget, IDs, scans, payroll, finance information," and more.⁵
• Service Restoration: GRTC stated that their IT staff quickly discovered and restored the computer network. All services were reported to be running as scheduled without further disruptions for riders.
• Investigation: GRTC engaged third-party computer specialists to investigate the nature and scope of the incident.⁶
• No Public Disclosure Initially: GRTC did not initially publicly disclose this cyber attack.

Second Cyber Attack - February 2024:

• Timeline: This second data breach was discovered on February 7, 2024.⁷
• Threat Actor: The "BianLian" threat actor was identified as being responsible.
• Data Leak Size: Approximately 1.5 terabytes of data were reportedly leaked.

General Information and Context:

• Increased Targeting of Public Transit: Public transit systems have become increasingly targeted by cyberattacks in recent years as they automate more of their services and systems.⁸
• Common Motives: Cybercriminals often target such entities for monetary gain through ransom payments or by accessing sensitive information.⁹
• FBI Report: A 2023 FBI report indicated a significant increase in ransomware attacks since 2019, with over 40 transportation systems being targeted that year.
• GRTC's Response: Following both incidents, GRTC stated they followed protocol to restore security. They did not specify their exact protocols.
• Service Continuity: Despite the cyber attacks, GRTC reported no major service disruptions for riders, although live bus tracking was temporarily interrupted at some point.¹⁰
• Cybersecurity Measures: GRTC issued a Request for Information (RFI) in April 2024, seeking market information on Cloud Enterprise Resource Planning (ERP) solutions. A key aspect of this RFI was to gather information on potential vendors' cybersecurity and disaster recovery approaches, including systems for threat detection, data encryption, and access security. This indicates a proactive approach to strengthening their cybersecurity posture following the incidents.

It's important to note that while the first attack in November 2023 was a ransomware attack claimed by the Play group, the details of the February 2024 incident point to a data breach attributed to BianLian. It is not explicitly stated if the second incident was also a ransomware attack, but the significant data leak suggests data exfiltration occurred.