A data breach at Metro Mobility, the Twin Cities transit service for people with disabilities, may have exposed the personal information of up to 15,000 individuals who use it.
Metro Mobility has notified customers that an employee’s e-mail account was hacked by an unauthorized person, compromising personal ride information between June 13 and Aug. 14, when the breach was discovered. The hacker may have accessed individual rider names, pickup and drop-off addresses, times of rides and special instructions for Metro Mobility drivers.
Social Security numbers and personal financial data were not compromised, according to a notice sent to customers.
Officials at the Metropolitan Council, which oversees Metro Mobility, said they have launched an internal investigation and will produce a report into how the breach occurred. The agency has also reported the breach to the St. Paul Police Department.
“We don’t know whether the person viewed your information or took your information from the employee’s account,” according to a notice to customers on Aug. 23. “As soon as we discovered the unauthorized access, we secured the e-mail account.”
Metro Mobility is an invaluable service for many people with both physical and developmental disabilities who need to get around the Twin Cities.
The public service provides shared rides in small buses equipped with wheelchair lifts to up to 62,000 people who are certified as unable to use light rail or buses because of a disability or health condition. Many of its customers have no other means of transportation and rely on the service to get to work, school, shopping and other destinations.
The breach at Metro Mobility is the latest in a string of recent cyberattacks involving public agencies serving vulnerable Minnesotans, as hackers become increasingly deft and sophisticated at stealing private data.
The Minnesota Department of Human Services (DHS), the state’s social service agency, has reported three incidents since last year in which hackers accessed state employee e-mail accounts. Last March, for instance, a hacker unlawfully logged into a state e-mail account of a DHS employee and used it to send e-mails to one of the employee’s co-workers, asking that co-worker to pay an “invoice” by wiring money. That breach may have exposed the personal information of about 11,000 individuals.
In a separate incident last September, a hacker used an e-mail phishing campaign to gain access to the state e-mail account of an employee in the Children and Family Services division of DHS. The hacker used this account to send spam e-mail messages and may have viewed some of the information contained in the account, according to DHS notifications.
Minnesota IT Services, which provides technology services to state agencies, said it blocks more than 8,000 e-mail threats daily.