Hello folks, its time for a transportation story and this time, it is just as confusing as it probably seems.
A lot of you know, or may not know, that I am part of a committee which does accessibility work for the transportation company, L.A. Metro. In March, meetings that I attend were asking questions about certain aspects of the system which did not work.
Sometimes, issues like tap, payment processes related to tap, GTFS data in regards to realtime data, or some other technical issue may be popping up from time to time. But when it is everything at once, or some variation of these types of things happening, someone has to wonder.
As part of my role, I have been asked to attend various meetings besides my own at the Accessibility Advisory Committee.
When March’s meetings commenced after the AAC, people started asking about a Cyberattack. My first thought was “What Cyberattack?”
I paid it no mind, even though I checked local news sources like KNX and KTLA, Los Angeles. These are two different news sources who have covered Metro Related news in the past in the county.
As meetings progressed, similar questions occurred, including the Public Safety Advisory Committee
and at least one service council I’m a public member of called the San Fernando Service Council.
San Fernando Service Council web page
While inquiring about some internal matters to staff, I was told to talk to other staff about the issue. All I really wanted to know was whether the issue I was inquiring about was a system wide issue or an AAC issue. If it were a system wide issue, I’d be fine, and that would be the end of it.
The next day, someone responded to my text(s) that I had sent them about other things and told me about the “Cyber Attack” and that it was in the news. The problem was … I did not see anything at the time I had looked, so nothing had made sense.
This all started just shy of the mid-march meeting cycles where meetings like the Operations, full board, and other early month meetings like the San Fernando meeting occur. Let’s make things very clear, comments were observed during the full board meeting in March and there was no response.
In early April, the Los Angeles Times, one of many newspapers covering California news, comes out with an article. This means that I, as a bus rider, need to be looking for articles like this when I don’t even know what I’m looking for. Especially since major news sources like the Times don’t normally report on computer issues like a potential cyber attack or even cyber crime for that matter.
As I said, I have attended many meetings and no clear answers. Finally, after the PSAC meeting, I decide to do a search to see what the hell seems to be going on and what I could learn. Remember, I had just asked staff about some internal things that I needed taken care of and they couldn’t just tell me there’s an issue and to talk to someone else.
Within the last several days, I’ve been working on trying to get things set up and podcasts released that talk about this. One podcast was released where we read the aforementioned L.A. Times article, and another podcast will be doing the same on another one.
By this time, my internal issue was becoming very interesting, and it reminded me of a similar one which took some time to resolve. I honestly thought that was the case where it was similar to last year, but then I learn about this and nothing was ever posted on Metro’s official blog about the issue.
I decided to send out what I had found and talked about, and get RSS working so I can keep up with this type of issue as I cover this on this podcast. So let’s go ahead and talk about what we know so far.
There are two articles.
The name of the first article is titled L.A. Metro confirms it was hacked. Weeks later, it’s still getting systems back online. It was my first read in to what might be going on so I could get an understanding on what’s going on. Let’s step through what the coverage is in this article.
The first paragraph says:
L.A. Metro shut down parts of its network after its security team detected hacking activity last month, and law enforcement and cybersecurity specialists are continuing to investigate who was behind the attack, authorities said.
That’s nice, but as I earlier pointed out, questions already surfaced before this, and now, coverage like this is too late.
The second paragraph says:
“On Monday, March 16, Metro proactively limited employee access to many internal administrative computer systems after the agency’s security team discovered unauthorized activity,” an agency spokesperson said. “Throughout this time Metro’s essential rail and bus service has continued to run uninterrupted, as have our vital transit safety and security systems.”
If my memory serves me, operations met on March 19th, and questions were already coming in. So … why did Metro not use its own resources to tell people they were having trouble when they shut down the network to protect themselves? The other question is, were staff notified about what was going on but was told to say nothing? Staff could at least tell the public that they can’t comment on investigations, or even that there may or may not be an investigation. There’s a standard that is used in this industry, basic knowledge should be told to all employees of any company, including large ones like Metro.
The article continues:
The full scope and origin of the attack remain unclear, and Dutra emphasized that the investigation was continuing. He said officials did not yet know who was behind the breach or what data, if any, might have been targeted.
“What is amazing [to] us [is] that we were able to maintain all of our bus and train services throughout this entire process,” he said.
Of course its unclear, there has been silence from the company from the very beginning, and you told nobody anything, including any steakholders you have.
The problem I have about this L.A. Times article is that it is very vague, there’s very little detail, and it answers nothing. I do not blame Mr. Dutra, or anyone else who spoke for that times article, but to me as an outsider who only sits on a committee, that doesn’t necessarily sit well with me.
Now, here’s the real problem Metro now has to face. There’s an article titled Ababil of Minab claims cyberattack on LACMTA, exposing risks to rail control systems and critical transit infrastructure. This is the second of two. In the further reading, you’ll find 3, and that’s because the third points to the 2nd in its coverage, similarly to this blog linking back to sources in our coverage. There’s nothing wrong with that.
Let me make this very clear. This article is very heavily focused on claims, and nothing here is confirmed. While it says this, it should not be fact.
Between the LA Times article, and the Industrial Cyber article we picked up, Metro’s environment may have either 1400 servers or 1421 servers, but this is not confirmed. We can confirm that infrastructure was taken offline for a period of time while each server was checked and is continuing to be checked to make sure its clean.
Let’s now go ahead and break down the second article.
The opening paragraph states:
New research from Dataminr detailed that a pro-Iranian threat actor known as Ababil of Minab has claimed responsibility for a cyberattack targeting the Los Angeles County Metropolitan Transportation Authority (LACMTA), alleging access to critical systems, including virtualization infrastructure, web servers, and an operational rail yard management system. The group published screenshots and video evidence via its Telegram channel and website, asserting it had compromised internal systems. However, the transit agency had not confirmed the breach at the time of reporting.
To the average reader, this should be scary. But it gets more scary as you continue to read such an article. The second paragraph says:
The Ababil of Minab attackers further claimed to have wiped 500 TB of data and exfiltrated 1 TB of sensitive information, while warning that the incident is ‘only the beginning’ and threatening additional attacks. Screenshots shared by the group appeared to show access to real-time rail yard management and train control displays, raising concerns about potential OT (operational technology) exposure and broader safety implications beyond a conventional IT system compromise. However, the extent of the intrusion remains unverified.
So now, we have two different paragraphs, one claining to take responsibility, the other claiming how much crap they supposedly took. When you read these two paragraphs, and you think to yourself that this is a lot of data to have been wiped, you’re right. Remember, until the claims are confirmed, treat this as unconfirmed. 500 TB is equal to a half a petabyte, which is shortened to PB. Nobody has this in their home setup, this is a very large piece of infrastructure that only an enterprise can have.
What else bothers me about this is that they apparently stole sensitive info, (about 1tb) but the article doesn’t claim what that might be. Was it name, address, phone number, SSN, etc. or what exactly was stolen? You don’t have to give us the data itself, but just say what could have been taken. Maybe this is unknown, and this could in theory be a good thing. But then again, any data a potential actor has that is not theirs is bad news for the company, customers, steak holders, or bus riders that might be affected.
At article writing time, no new info has been forthcoming on whether this is true or not. This is what is needing to be stressed.
This article does talk about the group, and I can tell you that I’ve never heard of them until i saw this article. That paragraph says:
“Ababil of Minab is an emerging pro-Iranian hacktivist group with a limited public profile and little verifiable prior activity in threat intelligence reporting — making any definitive capability or intent assessment premature at this stage,” Dataminr wrote in its post. “Despite this low prior visibility, Dataminr’s real-time monitoring surfaced the group’s claims at the point of initial publication, providing early warning ahead of traditional intelligence channels.”
Dataminr (probably pronounced data minor) is another company probably in the security industry, so if they’re getting this intel, this could be good for Metro. I hope the company shared it with the appropriate department with the company.
What is interesting is a paragraph that talks about activating Windows. You’d think in an enterprise environment, this would not be the case, maybe something else is going on? The article goes in to detail about how this could have been possible.
What else bothers me is that while the article here talks about potential messaging and web defacement, this author only saw a message talking about GTFS data issues and apologizing for the inconvenience while they rectify it. This author did not see any type of defacement, or redirects. We were able to access Metro’s properties just fine, as we have been putting out meeting notices and downloading files just fine during this issue. We also put out a podcast in the”day in the life” series talking about the new PSAC members and I read the names right off the web at that time the podcast was released.
DataMinr does go in to detail in the article what Metro, or even any other large agency like Metro, should do to make sure that they’re protected as much as possible. This includes segmenting networks, isolating those segments where possible, and other things that I may not cover here.It would not surprise me if Metro will eventually have to report this to authorities once the investigation concludes, and the fact that they’ve not confirmed anything, makes me just a little bit worried. This isn’t because I participate in a committee, but this is the wide spread thing no matter what happens. And we’ll find out some 6 months to a year later.
Until we know more, seeing responses like “scary stuff” is a normal reaction to a story like this when its all claims that people read.
What people need to understand is that places like Telegram are known for talking about things and “boasting” even if it comes out that what they are “boasting about” may not completely be true.
What we really need to do here, is to analyze what is being written, keep it in our minds, and wait for confirmation from the company what ends up being confirmed.
In Metro’s case, the fact they have approximately 1421 servers (reported in the article(s)) we need to give them time. We don’t even know what is taken, let alone anything else. Then again, once a notice of an attack is known, getting out info about what you do know is key. Quickly and accurately.
As part of what went wrong, Metro and the PR team has said absolutely nothing. We know from other experiences that we do get at least something.
If I were doing PR, even if council said we can’t say anything, I would make it very basic. I would put out a statement, make it clear that we’re “investigating” a potential cyber incident and when we know more, we’d report back. Or I’d put out that we are not sure if there is a cyber incident, but we are aware of issues that our riders are experiencing. The fact that the web site only mentioned GTFS data did not tell me of the bigger picture that I found out through reading public information. Even if Metro only learned recently that it was attacked, then they should have come out and told us what they knew. They should have told us that the investigation was still ongoing, and everyone would know something.
The fact that sources are out there republishing similar claims with no confirmation is “scary” but its normal in the cybersecurity industry.
What to read
Here’s what to read from coverage from around the web as of April 15, 2026.
- L.A. Metro confirms it was hacked. Weeks later, it’s still getting systems back online The L.A. Times (April 2, 2026)
- Ababil of Minab claims cyberattack on LACMTA, exposing risks to rail control systems and critical transit infrastructure Industrial Cyber (April 15, 2026)
- Pro-Iranian Threat Actor Claims Responsibility for Cyber Attack on Los Angeles County Metropolitan Transportation Authority rtands.com (April 15, 2026)
Podcasts to listen to
I have a podcast titled A Day in the Life of Jared at L.A. Metro which covered the KTLA article. Here is the link to the episode titled: L.A. Metro confirms Cyberattack for you to hear and get a transcript.
If you do not have RSS, you don’t understand how RSS works, or you have an idea but don’t know what to use, I can send you a file. Please reference podcast 59 of A day in the Life which is my podcast number. By default, programs may be released in a certain order, I.E. meeting coverage before article coverage unless a big story like this occurs. A future article will break down the industrial Cyber article in full.
You may find contact info on the blog’s contact page, or find brief contact info below.
Please stay safe out there.
Jared Rimer
tech at menvi.org (use the at symbol where appropriate)
804-442-6975 text/WhatsApp
888-405-7524 comment line
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.