What is myBART?
myBART was started in 1999 to promote riding BART to events that are close to BART stations, and as a rewards program for riders. BART has been providing an email newsletter to myBART members every week for approximately twelve years, with contests, discounts, and free events that are BART accessible.
Since inception, myBART has given away tens of thousands of tickets to events around the Bay Area, offered discounts to sporting events, museums, theaters, concerts and other events, and has provided a way for BART to support the venues, independent theaters and community groups surrounding BART stations.
What data got published and when?
On Sunday, August 14, over 2,000 of approximately 55,000 myBART members had their information published to a public website. In most cases, the information consisted of names, email addresses, and passwords. In some cases, the database also listed an address and phone number.
How do I know if my account information was among the over 2,000 published?
We sent an email to each of the 2,000 email accounts that we know were affected by this attack, notifying them of the security breach and with suggestions on protecting themselves.
It is possible that additional records were accessed by the hackers beyond the ones that were published, so we advise all of our myBART members to take precautions and change the password for any other accounts that may have used the same password as their myBART account.
Was any financial data (such as credit card numbers) compromised?
No. No financial information is stored in the myBART database.
What should I do to protect myself if I am a myBART member?
For your security, we encourage you to be especially aware of email, telephone and postal mail scams that ask for personal or sensitive information. Also, if you use your myBART user name or password for other unrelated services or accounts, we strongly recommend that you change them.
To protect against possible identity theft or other financial loss, we encourage you to remain vigilant, to review your account statements and to monitor your credit reports. We are providing the following information for those who wish to consider it: – U.S. residents are entitled under U.S. law to one free credit report annually from each of the three major credit bureaus. To order your free credit report, visit http://www.annualcreditreport.com or call toll-free (877) 322-8228.
We have also provided names and contact information for the three major U.S. credit bureaus below. At no charge, U.S. residents can have these credit bureaus place a “fraud alert” on your file that alerts creditors to take additional steps to verify your identity prior to granting credit in your name. This service can make it more difficult for someone to get credit in your name. Note, however, that because it tells creditors to follow certain procedures to protect you, it also may delay your ability to obtain credit while the agency verifies your identity. Should you wish to place a fraud alert, or should you have any questions regarding your credit report, please contact the agencies listed below:
Experian: 888-397-3742; www.experian.com;
P.O. Box 9532, Allen, TX 75013
Equifax: 800-525-6285; www.equifax.com;
P.O. Box 740241, Atlanta, GA 30374-0241
TransUnion: 800-680-7289; www.transunion.com;
Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
You may wish to visit the website of the U.S. Federal Trade Commission reach the FTC at at www.consumer.gov/idtheft or 1-877-382-4357 or 600 Pennsylvania Avenue, NW, Washington, DC 20580 for further information about how to protect yourself from identity theft. Your state Attorney General may also have advice on preventing identity theft, and you should report instances of known or suspected identity theft to law enforcement, your State Attorney General, and the FTC.
Am I safe if my data wasn’t published on the internet?
Although your information was not published, it may still be compromised. As a precaution, if you think you may have used your myBART user name or password for other unrelated services or accounts, we strongly recommend that you change those passwords.
What about my other BART accounts? Are they safe?
The myBART.org website and MyBART membership accounts were handled by an outside vendor that does not handle any other BART-related accounts or websites.
Can I cancel my myBART account?
For security purposes we have taken down the myBART.org website, so accounts cannot be canceled online at this time.
How did this happen?
A hacker group has claimed responsibility for the intrusion into the myBART system. We are currently reviewing records to confirm exactly what happened, but apparently an automated program was used to attack the site.
What is BART doing to ensure that such a thing does not happen again?
We are currently evaluating future security enhancements. At this point, we have shut down the myBART.org website to prevent further intrusions, and our focus is on providing our customers with the information they need.
What is the future of myBART?
We hope to continue to deliver the benefits of myBART – free prizes and discounts to BARTable events – but without necessarily maintaining a database of passwords or other personal data. Suggestions and comments from our members on how they would like to see the program evolve are welcomed.
In the meantime, you can follow @myBART on Twitter at www.twitter.com/mybart for the occasional giveaway, tips on events by BART and program updates.
For comments, questions or suggestions, we can be contacted at firstname.lastname@example.org.