Ransomware Shut Down an Entire California City—Then Hit LA's Transit System Hours Later

A City Goes Dark Overnight

In the early hours of Thursday, March 19, IT staff at Foster City, California discovered ransomware spreading across the city's computer networks. By morning, nearly every non-emergency municipal service was offline. Building permits, business licenses, park reservations, public records requests, utility billing—all frozen. City Manager Stefan Chatwin declared a state of emergency, a step normally reserved for natural disasters, to unlock supplementary financial support from outside agencies.

Foster City is not a rural outpost with an understaffed IT department. The Bay Area municipality of approximately 34,000 residents sits 30 minutes south of San Francisco in the heart of Silicon Valley. It hosts headquarters for major technology and science companies. Despite that proximity to the tech industry, the city's own infrastructure proved vulnerable to the same ransomware tactics that have been hitting municipalities across the country for years.

Hours Later, LA Metro Found Intruders Too

The same day, the Los Angeles County Metropolitan Transportation Authority discovered unauthorized activity on its own network. Metro's security team proactively limited employee access to internal administrative systems to contain the threat. Riders noticed station monitors going blank and TAP card services, including online value additions and customer service channels, going down.

Metro officials stated that "at this stage of our investigation, Metro has not found that customer and employee data has been affected." But the precautionary shutdown of internal systems suggests the unauthorized access was serious enough to warrant cutting off employee access entirely rather than risk lateral movement through the network. A ransomware gang claimed responsibility for targeting Los Angeles, though the connection between the Foster City and LA Metro incidents has not been formally established.

What Was Exposed

Foster City warned residents that hackers may have accessed public information stored on city systems. Anyone who has conducted business with the city, filed permits, paid utility bills, or submitted public records requests, should assume their information may be compromised. The city advised residents to:

• Change passwords for any accounts that use the same credentials as city service portals
• Monitor financial accounts and credit reports for suspicious activity
• Be alert for phishing emails that reference city services or the breach itself

Emergency services including 911 and police dispatch remained operational throughout the incident. Police non-emergency and direct lines initially went down but were restored by Friday night. The distinction matters: the attackers did not compromise life safety systems, but they effectively shut down the administrative machinery that keeps a city running.

Why Cities Keep Getting Hit

Municipal governments are disproportionately targeted by ransomware for predictable reasons. City networks tend to run on aging infrastructure with limited patching windows because taking systems offline disrupts public services. IT budgets are constrained by municipal budget cycles and competing priorities. Staff turnover means institutional knowledge about network architecture is frequently lost. And unlike private companies that can absorb downtime, cities face immediate public pressure to restore services, which makes them more likely to pay ransoms.

The pattern is well established. In the past year alone, ransomware has forced emergency declarations in multiple American cities, disrupted hospital systems, and crippled payment processors serving 80 banks simultaneously. The attackers are increasingly sophisticated, with recent campaigns employing AI assisted techniques to breach hundreds of targets across dozens of countries.

What This Means for Residents

If you live in Foster City or use LA Metro services, the immediate risk is phishing. Attackers who compromise municipal databases often use the stolen data to craft convincing follow up scams. An email that references your actual utility account number or permit application looks far more legitimate than a generic phishing attempt. Be especially skeptical of any communication that claims to be from the city or Metro in the coming weeks, particularly messages that create urgency or ask you to click links to "verify your account" or "claim a refund."

More broadly, these incidents illustrate a reality that affects everyone who interacts with local government. The personal information you provide to your city, including your name, address, phone number, email, financial details for utility payments, and property records, is only as secure as your city's IT infrastructure. And in most municipalities, that infrastructure is running on a fraction of the budget that a comparably sized private company would spend on cybersecurity.