California City Reports Ransomware Attack as LA Transit Agency Finds ‘Unauthorized Activity’

Ransomware has become a persistent threat to municipal operations across California, with recent attacks on Oakland, San Francisco, Hayward and now Foster City illustrating a pattern of targeting local government systems. Cybercriminals exploit outdated legacy software, limited budgets, and fragmented IT governance, often demanding payment to restore encrypted data. The fallout extends beyond immediate downtime; it erodes citizen confidence, forces emergency declarations, and triggers costly external assistance, amplifying fiscal pressures on already stretched city coffers.

Foster City’s rapid declaration of a state of emergency unlocked supplemental funding and allowed the city manager to prioritize critical services while non‑essential functions were suspended. By keeping 911 and police dispatch online, the city mitigated public safety risks, a best‑practice response that many jurisdictions emulate. Simultaneously, Los Angeles Metro’s pre‑emptive restriction of internal systems, though inconvenient for employees and riders, reflects a growing trend of “containment first” protocols designed to prevent lateral movement by threat actors. The transit agency’s transparent communication about service impacts and data integrity helps preserve rider trust during a cyber incident.

These events serve as a cautionary tale for other municipalities and transit authorities. Investing in proactive cyber hygiene—regular patching, multi‑factor authentication, and segmented network architecture—can reduce attack surfaces. Moreover, establishing clear incident‑response playbooks, conducting tabletop exercises, and securing cyber‑insurance are essential components of a resilient public‑service ecosystem. As ransomware groups continue to refine their tactics, public sector leaders must treat cybersecurity as a core operational function rather than an ancillary IT concern.