L.A. Metro shut down parts of its network after its security team detected hacking activity last month, and law enforcement and cybersecurity specialists are continuing to investigate who was behind the attack, authorities said.
“On Monday, March 16, Metro proactively limited employee access to many internal administrative computer systems after the agency’s security team discovered unauthorized activity,” an agency spokesperson said. “Throughout this time Metro’s essential rail and bus service has continued to run uninterrupted, as have our vital transit safety and security systems.”
Metro board member Fernando Dutra said the agency had been working through a painstaking process to bring systems back online, an effort that continues. That includes reviewing about 1,400 servers individually to ensure they are secure before restoring access and bringing systems back online, he said.
“When you think in terms of how big we are — we’re a beast,” Dutra said. “And so before we can turn the water spigot back on, we have to go through and check each one of these servers to make sure it’s clean. So that’s the reason it’s taking a little bit longer.”
The full scope and origin of the attack remain unclear, and Dutra emphasized that the investigation was continuing. He said officials did not yet know who was behind the breach or what data, if any, might have been targeted.
“What is amazing [to] us [is] that we were able to maintain all of our bus and train services throughout this entire process,” he said.
Metro is not the only regional public agency to have its computer systems targeted in a cyberattack.
The Los Angeles County Superior Court was hit by a ransomware attack in 2024 that infected its computer system with damaging software, forcing it to shut down for two days.
A year earlier, UCLA was the victim of a cyberattack, and San Bernardino County paid a $1.1-million ransom after the Sheriff’s Department was hacked. The Los Angeles Unified School District’s network was breached in 2022, when about 2,000 student records, some of which included Social Security numbers, were posted on the dark web after the district refused to pay ransom to hackers.
