LA Metro shuts down employee access following ‘unauthorised activity’ on network

The Metro said bus and rail services were not impacted, but that there may be issues with station monitors not displaying arrival times and topping up travel cards.

“Restricting systems following the discovery of unauthorised access is part of Metro’s standard safety protocols to contain and minimise risk,” the Metro said.

“Although an inconvenience to employees, these safety measures protect customers without disrupting service. At this stage of our investigation, Metro has not found that customer and employee data has been affected.”

The Metro said it was in the process of restoring access.

Ransomware link?

The news of the Metro disruption came as the World Leaks ransomware group listed the city of Los Angeles as a victim on its darknet leak site.

VIEW ALL

The hackers claim to have stolen 159.9 gigabytes of data during the incident, totalling 779 files.

The leak post does not mention the LA Metro, but several pages from a police interview have been published – the interview appears to refer to an August 2020 fatal shooting incident involving two officers of the Los Angeles Police Department.

The hackers said they will publish further data within five days.

Who is World Leaks?

World Leaks emerged as a ransomware operator in January 2025 after the hackers behind the group closed down their previous ransomware operation, Hunters International.

The group has claimed 116 victims since it first formed. Its last Australian victim was NSW-based petroleum distributor Kel Campbell, which was listed by the group in June 2025, and prior global targets include the Nike athletics company, which was listed by the threat actor in early 2026.