Los Angeles Metro, the public transit operator for Los Angeles County, California, restricted access to internal administrative computer systems after detecting “unauthorized activity,” disrupting some rider information and fare-loading options while trains and buses continued operating, officials said.
Metro said Thursday its security team discovered the activity and limited access to internal administrative computers as a containment step. The agency said the move was intended to protect customers “without disrupting service,” though it called the restrictions an inconvenience for employees.
Metro has not said who was responsible, and no group has publicly claimed the incident. Metro did not respond to an email from DysruptionHub seeking additional details.
Metro said the restrictions left some station monitors unable to display arrival times. The agency also warned riders could have problems adding value to TAP cards through Metro’s website or customer service lines and advised customers to reload at ticket vending machines. One rider told ABC7 that a vending machine and a mobile payment attempt did not work.
Metro’s Service Alerts page separately posted that bus and rail service alerts were delayed due to a “technical issue,” directing riders to Metro’s alert channels for updates. Metro’s Rider Alerts account on X also said service alerts would be delayed and warned riders they were unable to load fare on the TAP Mobile App, again advising customers to buy or reload through ticket vending machines.
Chip in once
If this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.
Support us monthly
A small monthly pledge keeps independent coverage and our reader tools online for everyone.
Separately, ransomware-tracking site ransomware.live listed the City of Los Angeles as a victim of the “Worldleaks” group, and the entry shows it was discovered by ransomware.live on March 20, 2026. The site also displays an “estimated attack date,” which ransomware.live notes is not a confirmed timeline. Los Angeles Metro is operated by the Los Angeles County Metropolitan Transportation Authority, not the city. Metro has not linked its system restrictions to that listing.
Transit agencies have faced similar disruptions in recent years, often keeping vehicles running while customer-facing technology is impaired. The Maryland Transit Administration said an Aug. 24, 2025 cybersecurity incident involving unauthorized access disrupted some systems, including Mobility paratransit, real-time arrival information and call centers while core service continued. Pittsburgh Regional Transit reported a ransomware attack detected Dec. 19, 2024 that briefly affected light-rail operations and disrupted some customer service systems. In Honolulu, city transportation officials confirmed a cyberattack that took multiple online services offline, including real-time GPS and other customer-facing tools for TheBus and Handi-Van.
Metro did not explicitly link the service-alert delays described as a “technical issue” to its statement about “unauthorized activity,” but both updates described disruptions affecting rider information and fare-loading options during the same period.
Metro said bus and rail operations were not affected and that customer and employee data were not impacted. The agency said it was working to restore access to impacted internal systems.
.jpg){kind=link}