WorldLeaks group hit Los Angeles and its Metro system, forcing a shutdown, while two Bay Area cities declared emergencies after ransomware attacks.
WorldLeaks group hit Los Angeles and its Metro, forcing a shutdown, while two Bay Area cities declared emergencies after ransomware attacks.
This week, local media reported that an unauthorized activity hit Metro’s internal systems, forcing the agency to limit access and disrupting station arrival displays.
“Unauthorized activity on internal administrative computer systems prompted Metro to limit access to those systems, resulting in station monitors not displaying arrival times, the transit agency announced Thursday.” reported NBC Los Angeles.
Riders face issues adding funds to TAP cards online or via support, so Metro urges them to use ticket machines. Rail and bus services continue to run normally, and no customer or employee data is affected. Metro continues security checks and works to restore full access.
In a separate incident, officials in Foster City said a ransomware attack is widely disrupting municipal services and pushing leaders to declare a state of emergency to secure external support and funding. Emergency services like 911 continue to operate normally, but many city services that rely on internal systems remain unavailable. City Hall stays open with limited services.
The city identified the attack early Thursday and quickly took most systems offline to protect the network. Officials are working with independent cybersecurity experts to investigate and restore operations.
The disruption affects digital services and access to information, while core emergency response remains intact. Authorities say it is still unclear whether attackers accessed or copied sensitive data, but they warn that public information may have been exposed. As a precaution, officials urge anyone who has interacted with the city to change passwords and take steps to protect their personal data.
“Out of an abundance of caution, those who have done business with the City of Foster City are encouraged to change their personal passwords and take measures to protect their personal data,” the city said, as reported by the San Francisco Chronicle.
On March 20, 2026, the WorldLeaks ransomware group added the City of Los Angeles to the list of victims on its data leak site. The ransomware group claimed the theft of 159.9 GB (779 files).
WorldLeaks is an extortion-focused cybercrime group that steals company data to pressure victims into paying, threatening public leaks if they refuse. The group emerged in 2025 after rebranding from Hunters International, a ransomware gang active since 2023. Following increased law-enforcement pressure, it abandoned file encryption and shifted entirely to data theft and extortion, claiming hundreds of victims to date.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Los Angeles)
