Anonymous Hack Exposes Personal Data of San Francisco-Area Commuters

Anonymous victimized transit passengers who ride San Francisco's BART rail system by dumping personal information after a successful SQL injection attack.

Passengers who ride the San Francisco regional subway system are the latest innocent victims, as hacktivist collective Anonymous stole and released sensitive information belonging to more than 2,000 riders.

On Aug. 14, the loose-knit group of hackers breached MyBart.org, the Website commuters use to get information from the Bay Area Rapid Transit system. The names, street and email addresses and site passwords for about 2,400 people who'd registered with the Website were dumped on various torrent sites. Some database dumps also included phone numbers for many users. The attackers defaced the Website with Guy Fawkes masks.

The attack was in protest of two fatal shootings by the transit police and the regional subway authority's decision to temporarily suspend cell phone service in its stations, Anonymous wrote in a note. BART officials disconnected cellular antennas used at several San Francisco stations on Aug. 11 to disrupt plans for a demonstration protesting a fatal shooting of a passenger accused of throwing a knife at a transit officer July 3. No protest actually took place during the time the cellular link was down.

"A civil disturbance during commute times at busy downtown San Francisco stations could lead to platform overcrowding and unsafe conditions for BART customers, employees and demonstrators," BART officials said in an Aug. 12 statement. The suspension was for only a few hours and did not affect cellular service outside the stations, the officials said.

An earlier protest on July 11 had disrupted BART service in the evening. Organizers planned to use mobile devices to get the word out about the Aug. 11 demonstration and not with a "public announcement beforehand" to maintain the "element of surprise," the local-news site SFist reported.

The data breach victims had nothing to do with the decision to suspend the services or with the fatal shooting. "It is puzzling to me how exposing thousands of innocent people's personal information hurts BART more than it hurts transit users," Chester Wisniewski, a senior security advisor at Sophos, wrote on the Naked Security blog.

"It's just common sense that I shouldn't be the target," one of the victims whose details were included in the data dump told The Register, adding that he'd received a "creepy" phone call from a person claiming to be a member of Anonymous who uttered "foul language, hushed tones and threats."

Attackers exploited a SQL-injection vulnerability on the site, according to the Anonymous note. In this kind of attack, database commands are entered inside a form, such as a forum post, comment box or even log-in box, and if the developers didn't enter proper error-handling methods in the code, the form would return data from the database server.

MyBart.org had "virtually no security," according to the note. Adding that any "8-year-old with a Internet connection" could have breached the site, Anonymous pointed out that none of the information, including passwords, was encrypted.

"It's time for organizations that store customer data to step up and take responsibility for the information they have been trusted with," Josh Shaul, CTO of Application Security, told eWEEK. If the database contains any sensitive information, then organizations "simply must" directly protect the databases and not rely on perimeter defenses such as corporate firewalls and antivirus systems, Shaul said.

Consumers need to start demanding that businesses they work with have better information security practices. "If the market doesn't punish those who lose our data with complaints and lost customers, this flood of successful attacks is not going to stop," Shaul said.

Anonymous and similar groups of protest-hackers have breached a number of major government-related Websites recently, such as the information from 70 law enforcement agencies around the country.

Anonymous released some information on follow-up OpBART attacks, including a campaign to bombard email addresses and fax numbers with messages, knocking the site offline, and a "physical protest" at the Civic Center Bart Station.

BART officials said it was preparing for further attacks from Anonymous but stressed that the Web infrastructure was separate from any networks running BART transportation services, so train service would not be affected by any further incidents.