{
	"id": "2b87a274-dd4f-47af-83ea-9625d7ef6f87",
	"created_at": "2026-04-06T00:19:53.139602Z",
	"updated_at": "2026-04-10T03:21:23.123896Z",
	"deleted_at": null,
	"sha1_hash": "441b7aabb24d81c2422cebe4b270cfca25d0e396",
	"title": "TransLink confirms ransomware data theft, still restoring systems",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 810701,
	"plain_text": "TransLink confirms ransomware data theft, still restoring systems\r\nBy Sergiu Gatlan\r\nPublished: 2021-01-04 · Archived: 2026-04-05 19:40:08 UTC\r\nMetro Vancouver's transportation agency TransLink has confirmed that the Egregor ransomware operators who breached its\r\nnetwork at the beginning of December 2020 also accessed and potentially stole employees' banking and social security\r\ninformation.\r\nTransLink announced on December 1, 2020, that the transportation network was experiencing issues with their\r\ncomputing systems following a cyberattack.\r\nThese information technology issues impacted the company's phones and online services, as well as the customers' ability to\r\npay for fares with a credit card or debit card. TransLink's transit services were not affected by the IT problems caused by the\r\nransomware attack.\r\nhttps://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT\r\ninfrastructure,\" TransLink disclosed in a statement following the incident. \"This attack includes communications to\r\nTransLink through a printed message.\"\r\nDuring the attack, the ransomware operators used the company's printers to print ransom notes which BleepingComputer\r\nidentified as Egregor ransom notes, a tactic the cybercrime gang also used after infiltrating the network of retail giant\r\nCencosud in November.\r\nEmployee banking info stolen\r\nAlthough immediately after the attack was discovered TransLink representatives said that \"there is no cause for concern that\r\npersonal data has been compromised\" when it comes to customers' information, it looks like this is not the case for\r\nemployees.\r\nTransLink told employees in an internal email seen by Global News that the Egregor operators have \"accessed and may have\r\ncopied files from a restricted network drive\" and several other network drives.\r\nAccording to the email, the accessed drives containing the payroll information of TransLink, Coast Mountain Bus Company\r\n(CMBC), and Metro Vancouver Transit Police employees.\r\n\"Those restricted network drives include files that contain banking information and some social insurance numbers,\"\r\nTransLink added.\r\nIf you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal\r\nat +16469613731 or on Wire at @lawrenceabrams-bc.\r\nWhile the company has evidence that the drives were accessed during the attack, it is still working on identifying the\r\nimpacted employees and the files that were opened or copied by the attackers.\r\nThe transportation agency also urges all employees to sign up for two-year credit monitoring — free for all staff— as soon\r\nas possible.\r\n\"Importantly, as we outlined previously, TransLink does not store or have access to Compass customer fare payment\r\ninformation,” Translink spokesperson Ben Murphy told Global News Wednesday.\r\nMost systems still down\r\nAt the moment, most of TransLink's systems are still down after the ransomware attack — including real-time GPS data,\r\ntracking, and reporting systems — with company technicians working to restore them as soon as possible.\r\nCustomers who want to track buses are advised to use Google trip planner \"for the time being,\" until tracking systems are\r\nback online.\r\n\"We are now in the process of gradually bringing priority systems back online as safely as possible,\" Murphy added.\r\nEgregor is a ransomware operation that partners with affiliates who hack into targets' networks and deploy ransomware\r\npayloads, earning 70% of the ransom payments with the Egregor operators getting a 30% revenue share.\r\nThe affiliates who infiltrate victims' networks are also known for stealing files before encrypting devices using Egregor\r\nransomware and for using them as leverage under the threat of publicly leaking them unless the ransom is paid.\r\nEgregor started operating in September 2020 after Maze shut down their operation, with many of the Maze affiliates\r\nswitching to Egregor as threat actors told BleepingComputer.\r\nSince September, Egregor affiliates breached and encrypted the systems of several high-profile targets worldwide, including\r\nbut not limited to Ubisoft, Kmart,  Barnes and Noble, Cencosud, and Crytek.\r\nhttps://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/\r\nhttps://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/"
	],
	"report_names": [
		"translink-confirms-ransomware-data-theft-still-restoring-systems"
	],
	"threat_actors": [],
	"ts_created_at": 1775434793,
	"ts_updated_at": 1775791283,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/441b7aabb24d81c2422cebe4b270cfca25d0e396.pdf",
		"text": "https://archive.orkl.eu/441b7aabb24d81c2422cebe4b270cfca25d0e396.txt",
		"img": "https://archive.orkl.eu/441b7aabb24d81c2422cebe4b270cfca25d0e396.jpg"
	}
}