Between 2020 and 2024, the French National Agency for Information Systems Security (ANSSI) recorded 123 security events related to urban transport, including 32 incidents confirmed as genuine cyberattacks. The rest correspond to reports of phishing campaigns, disclosure of identifiers, or poor security practices. Buses, trams, metros, ride-hailing services, and taxis: no mode of transport is spared.
Serial attacks, multiple motivations
According to the agency, more than half of the problems identified involve DDoS attacks, data leaks, or identity theft. The report notes that "transport services, due to their criticality, do not tolerate interruptions well," making them ideal targets for ransomware. These profit-driven attacks aim to pressure companies to pay to restore their services. Anssi notably mentions four cases of ransomware compromise in France between 2020 and 2024, without major impact, but revealing the vulnerability of the sector.
Users are not spared either. Databases managed by operators – often rich in personal and banking information – are regularly targeted. In 2023, for example, Île-de-France Mobilités reported the exfiltration of 4,000 email addresses and passwords. This data is resold or used for other attacks, notably through "credential stuffing."
The report highlights a massive interconnection between the various transport players: operators like Keolis or Transdev, local authorities, technical service providers... A complexity that favors the spread of attacks. The equipment itself, such as signaling systems or ticketing kiosks, is often old and vulnerable, sometimes poorly protected or connected to the Internet without sufficient partitioning. "Some OT networks are characterized by their horizontality and their lack of compartmentalization, warns the agency.
Increasing automation – with CBTC-controlled metros or intelligent road transport systems – multiplies attack surfaces. The massive use of IoT (cameras, sensors, billboards) further widens this vulnerability.
The prospect of "smart cities," where transport networks are integrated into The impact of broader urban systems (water, energy, and traffic management) is worrying ANSSI. It cites as an example the 2023 attack on the transport authority in the city of Olsztyn, Poland, which paralyzed ticket sales and disrupted road traffic.
Beyond financial motivations, some attacks have more political aims. In 2024, the Paris Olympic Games were marked by an increase in cyber offensives, including DDoS attacks attributed to pro-Russian hacktivist groups. Entities such as RATP, Transilien, and taxi operators were briefly targeted.
ANSSI also does not rule out industrial or strategic espionage. Cases have been identified internationally, such as the attack on the New York MTA in 2021, where hackers linked to China allegedly exploited a critical flaw. In France, few attacks of this type have been confirmed, but the agency remains cautious: these operations are inherently difficult to detect.
The report concludes by calling on operators to strengthen their security measures, including system partitioning, regular audits, and better access management. Because as transport becomes more connected, the threat also becomes more mobile.
0 Comments