Hacker cost SF Muni $50,000 in lost fares, agency says

Muni may have saved $73,000 by refusing to give in to the demands of a cyberextortionist who hacked into the transit system’s computers. But the ransomware attack still cost the Municipal Transportation Agency an estimated $50,000 in lost fares, officials said Friday.

After Muni learned it had been hacked the night of Nov. 25, officials shut down the ticket machines in the Muni Metro system’s subway stations and threw open the fare gates. The actions were taken to stop the spread of the cyberattack and to ensure that passengers’ financial information couldn’t be accessed.

The rides remained free through last Saturday. Fare gates and ticket machines were back in service by Sunday morning.

Ben Alvers a SF State student waits for a Muni train at the Embarcadero Station Tuesday, July 13, 2011. When CaliforniaÕs state budget passed, Politicians boasted that there werenÕt any new taxes in it, and that it would put $1,000 in the pocket of the average Californian. But Californians will pay at least that much, if not more, in fees imposed in the past couple of years across the Bay Area and state, including San Francisco muni fees. less Ben Alvers a SF State student waits for a Muni train at the Embarcadero Station Tuesday, July 13, 2011. When CaliforniaÕs state budget passed, Politicians boasted that there werenÕt any new taxes in it, and ... more Photo: Lance Iversen, The Chronicle Photo: Lance Iversen, The Chronicle Image 1 of / 7 Caption Close Hacker cost SF Muni $50,000 in lost fares, agency says 1 / 7 Back to Gallery

MTA spokesman Paul Rose said Muni typically brings in $120,000 systemwide in cash and single-trip fares on a weekend day. That figure includes fares paid on buses, cable cars and Muni Metro both inside and outside the stations where a handful of fare gates were opened during the attack.

The ransomware attack was triggered when an employee clicked on an email attachment, pop-up or link. The attack affected about 900 Muni computers, locking their users out and displaying the message “You hacked” that instructed Muni officials to pay 100 bitcoin, a digital currency, worth about $73,000.

MTA officials refused to pay up, never even communicating with the hacker, Rose said. Instead, the agency contacted the Department of Homeland Security and began restoring the frozen computer systems using backups. By Monday, the MTA’s computers were back in service.

When Muni declined to pay the ransom, the hacker then threatened to release confidential information he said he had obtained about passengers and employees. MTA officials, after consulting with Homeland Security and its internal computer security experts, decided the hacker was bluffing, and continued to ignore his demands.

Michael Cabanatuan is a San Francisco Chronicle staff writer. Email: mcabanatuan@sfchronicle.com Twitter: @ctuan