Threat actors have allegedly posted a large number of sensitive files online after exploiting a vulnerability in the San Francisco Bay Area Rapid Transit System (BART) Police Department.
According to NBC News, the leaked files included some 120,000 files, with specific allegations of child abuse, names and birthdates of victims, and in some cases, adult descriptions and the alleged abuse information.
The leak also reportedly comprised of names and driver’s license numbers of contractors who have worked on BART projects, police reports naming suspects for various crimes, and hiring documents for prospective officers.
The attack has reportedly not disrupted services for the transit system, but according to SafeBreach CISO Avishai Avivi, it does raise questions about data security and privacy.
“Unfortunately, public sector organizations tend to be at higher risk for a breach. The challenge of attracting cybersecurity talent, combined with constrained budgets, typically correlates with a lagging cybersecurity program,” Avivi told Infosecurity.
The security expert also explained that public sector organizations are also less likely to have the option of paying the ransom that the malicious actors are demanding.
"Sadly, as can be seen through the information already described, the malicious actors have very little regard for the true victims of this breach – the people whose information was stored in the compromised files,” Avivi added.
“Public sector organizations must avail themselves of all of the free services provided by CISA and follow the advisories they publish. No public sector organization can assume that they are not a target.”
With regard to the leaked data, BART police chief Ed Alvarez issued a public statement to Infosecurity via email.
"We are investigating the data that has been posted. To be clear, no BART services or internal business systems have been impacted. As with other government agencies, we are taking all necessary precautions to respond."
The alleged breach comes days after Wabtec Corporation disclosed details of a data security incident that led to the compromise of highly sensitive personal information last year.