Ransomware attack paralyzes Vancouver public transportation agency
Customers left unable to buy tickets or use travelcards for two days


TransLink, Vancouver, Canada's public transportation agency, has become the victim of a ransomware attack that has left residents of the city unable to use their Compass metro cards or pay for new tickets via the agency's Compass ticketing kiosks.
The attack took place on Tuesday, but the agency initially passed it off as a prolonged technical issue. However, reporters at local radio station CITY NEWS 1130 found out what had happened and forced the organization to admit the attack took place.
"We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure," TransLink CEO Kevin Desmond said in a statement to the radio station.
“TransLink does not store fare payment data. We use a secure third-party payment processor for all fare transactions, and we do not have access to that type of data.”
Desmond didn’t reveal the ransomware’s name but confirmed the hackers printed a demand note on the agency’s printers.
“Your network was attacked, your computers and servers were locked,” the note read. Printing these notes on an organization’s printer is a tactic used by the Egregor ransomware.
Services were restored Thursday afternoon.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Sam Curry, chief security officer at Cybereason, told ITPro that these types of attacks are increasing against public and private sector companies, but there’s a silver lining.
According to Curry, “The silver lining is that there are fewer strains of ransomware in the wild and the good guys or defenders have more than a fighting chance to turn the tables on the cyber adversaries. And good for TransLink for eventually owning up to the fact it was a ransomware attack. Honestly, they should have come clean at the outset, shared as much information as possible and assured customers they were doing everything humanly possible to restore transportation services to normal.”
Stuart Sharp, VP of technical services at OneLogin, told ITPro that it’s fortunate that Translink doesn’t store any financial information, so citizens’ financial data wasn’t at risk in the attack.
“It goes to show that any organization where an IT system plays a crucial role in running services is at risk from ransomware attacks, not just organizations that store sensitive data,” Sharp said.
Javvad Malik, security awareness advocate at KnowBe4, said ransomware operators are more focused and targeted in their attacks.
“They tend to spend more time within an organization before deploying ransomware. This allows them to not only steal data that they can use to further blackmail the organization or its customers with but also to identify which data and systems to encrypt with ransomware for maximum impact,” he said.
Malik added it's essential that organizations have controls in place to prevent ransomware from gaining access via a layered security strategy that includes technical controls and ensuring employees receive security awareness and training.
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.
-
Big tech CEOs are fueling the fire of AI confusion
Opinion Mixed messaging on the effectiveness of AI only raises fears that the technology will steal human jobs
-
Three things you need to know about the EU Data Act
News A host of key provisions in the EU Data Act will come into effect on 12 September, and there’s a lot for businesses to unpack.
-
Prolific ransomware operator added to Europe’s Most Wanted list as US dangles $10 million reward
News The US Department of Justice is offering a reward of up to $10 million for information leading to the arrest of Volodymyr Viktorovych Tymoshchuk, an alleged ransomware criminal.
-
Jaguar Land Rover “did the right thing” shutting down systems to thwart cyber attack
News The attack on Jaguar Land Rover highlights the growing attractiveness of the automotive sector
-
Ransomware attack on IT supplier disrupts hundreds of Swedish municipalities
News The attack on IT systems supplier Miljödata has impacted public sector services across the country
-
A notorious hacker group is ramping up cloud-based ransomware attacks
News The Storm-0501 threat group is refining its tactics, according to Microsoft, shifting away from traditional endpoint-based attacks and toward cloud-based ransomware.
-
Security researchers have just identified what could be the first ‘AI-powered’ ransomware strain – and it uses OpenAI’s gpt-oss-20b model
News Using OpenAI's gpt-oss:20b model, ‘PromptLock’ generates malicious Lua scripts via the Ollama API.
-
Data I/O shuts down systems in wake of ransomware attack
News Regulatory filings by Data I/O suggest the costs of dealing with the attack could be significant
-
Average ransom payment doubles in a single quarter
News Targeted social engineering and data exfiltration have become the biggest tactics as three major ransomware groups dominate
-
BlackSuit ransomware gang taken down in latest law enforcement sting – but members have already formed a new group
News The notorious gang has seen its servers taken down and bitcoin seized, but may have morphed into a new group called Chaos