Anonymous continued their crusade against governments and organizations this weekend, attacking the myBART.org website belonging to San Francisco’s BART (Bay Area Rapid Transit) system.
They performed a SQL injection (SQLi) attack against the site and were able to extract more than 2,000 records containing names, usernames, passwords (plain text), emails, phone numbers, addresses and zip codes.
They also defaced the website with Guy Fawkes masks, which BART has yet to remove more than four hours later.
While it is understandable that people are upset with BART after the recent blocking of cell phone communications to prevent protesters from organizing, it is puzzling to me how exposing thousands of innocent people’s personal information hurts BART more than it hurts transit users.
Users of rapid transit are certainly not the problem, and this simply takes a bad situation and makes it worse by creating even more victims.
During my interview about the incident with KCBS radio in San Francisco this afternoon, I was asked what people can do to protect themselves against these types of attacks. What an interesting question…
Personally, I am skeptical of anyone asking for my information for almost any reason. We can’t know how that data will be protected, shared or sold regardless of what the privacy policy may say.
The best approach is to not provide your personal information where it isn’t needed and make sure you always use a unique password for every website, regardless of how unimportant you think the site may be.
If you are a user of myBART.org, I recommend changing your passwords anywhere you might have used the same password. Aside from that, there is little you can do now that your information has been published.
Website admins, if you are still storing passwords in plain text and haven’t examined your web site for SQL injection vulnerabilities, even after the attacks against Sony, I highly recommend doing so. This is not a list you want your site to be added to.