Over 3,000 Luas user records ‘may have been compromised’ in cyber attack

Tram service says no financial information was compromised in attack which has shut down website

A Luas travelling along Dawson Street, Dublin in a file photograph by  Dara Mac Dónaill
A Luas travelling along Dawson Street, Dublin in a file photograph by Dara Mac Dónaill

Tram operator Luas has so far identified 3,226 user records which may have been compromised as a result of a cyber attack on its website on Thursday morning.

The company said it related to records of “where people signed up to a Luas newsletter” and that it was in contact with the Data Protection Commissioner.

“Luas will write to these people within the next 24 hours informing them of the potential breach,” a statement from the company said.

Luas said no financial information had been compromised in the attack, which has led to the company’s website being shut down.

READ SOME MORE

The operator said as their investigation was ongoing at present, there was no estimation “as to the full damage done to the site”. It also said a full restoration of the site could not be ascertained.

Technicians are working on a temporary site for customer information which would be up and running as soon as possible, Luas said.

“It was a professional attack, and when discovered, the Luas website was taken down (offline) and IT technicians began their investigations,” it said.

“The site is being analysed to identify how the attack occurred and technicians are working to restore the service for the customer.”

A message appeared on its website on Thursday morning saying “You are hacked” and referring to “serious security holes”.

It continued: “The next time someone talks to you, press the reply button you must pay 1 bitcoin in 5 days otherwise I will publish all data and send emails to your users.”

Bitcoin is a cryptocurrency and one Bitcoin is currently worth about €3,400.

“Luas is operating in accordance with early detection and timely countermeasures to mitigate the impact,” it added.

“We would like to apologise for any inconvenience caused to our customers as a result of this Cyber-attack.”

Luas also said its site had a valid SSL digital security certificate.

An Garda Síochana said the Garda National Economic Crime Bureau was aware of reports in relation to the matter and those reports were under assessment.

Security

Companies’ websites are increasingly being attacked by hackers, according to one of the State’s leading IT security experts.

Brian Honan, an independent security consultant who has also served as a special adviser to Europol's Cybercrime Centre (EC3) said the attack on the Luas' official website is "relatively common".

“You have hackers out there who regularly scan the internet, looking for vulnerable websites,” he said.

“A vulnerable website would be a website with a security weakness in it that the owner isn’t aware of.”

Mr Honan said as more companies are starting to use websites they later “tend to forget about it”.

“They have a big project to get themselves online and get their website content ready but they forget to keep their website patched and updated and to regularly review it to make sure it’s kept secure, and unfortunately because people don’t look after their sites they tend to become vulnerable over time.”

Mr Honan said hackers can range from “bored teenagers” right up to organised crime gangs. He said demanding a relatively small amount of money could be “due to a number of reasons”.

“The person doing the hacking could be based in a country where €3,500 could be an annual salary. We’ve seen ransom demands for as little as $100 and even $50 and people have been very happy to receive that amount of money. It depends on where the person is located...It could also be a psychological move by the attacker.

“They could be thinking to themselves well if the company only has to pay €3,500, it may cost them a lot more to hire people to find out where the problem is and to fix the problem.”

Ronan Murphy, chief executive of cyber security firm Smarttech 247 said it had already seen a “sharp rise” in ransomware attacks during the first days of 2019.

Mr Murphy said it was assisting two international companies, which have Irish operations, paying ransoms of €70,000 and €23,000 worth of Bitcoin after their internal systems were hacked.

“Just this morning, we had to provision €38,000 worth of Bitcoin, we had to pay it to a Russian hacking group. Unfortunately that’s only the first batch, we will probably have to do the same again this evening,” he said.

“In this instance, both of the companies... it’s not just all of their systems but they /[the hackers/] also have their back-ups as well so they’re in a very precarious situation in that they have to either pay up or try and run the business with everything totally gone.”

Mr Murphy said while their advice is not to pay the ransom, “in certain circumstances companies have no choice”.

Joe Brady, CIO of Evros Technology Group said ransomware came to “the forefront as a serious risk in 2016 before reducing somewhat in pervasiveness through 2017 as organisations came to terms with the early versions of this threat”.

“We are now starting to see an increase in these types of attacks with more aggressive behaviours and delivery mechanisms, often targeting backup data as well as production files and seeking to propagate itself throughout the network,” he said.

Sarah Burns

Sarah Burns

Sarah Burns is a reporter for The Irish Times