This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

RailCorp

Summary

RailCorp, the NSW government agency operating Sydney's rail network, was infected by the Sasser worm, causing the radio network to shut down and stranding approximately 300,000 passengers. The incident forced some stations to close temporarily with only 20 trains kept running during the disruption.

What Happened

In early May 2004, the Sasser worm spread rapidly across the internet, exploiting a vulnerability in Microsoft Windows systems. The worm infected RailCorp's computer systems, causing widespread disruption to Sydney's rail network on 3 May 2004.

The Sasser worm exploited a buffer overflow vulnerability in the Local Security Authority Subsystem Service (LSASS) on Windows 2000 and Windows XP systems. Once infected, systems would repeatedly crash and reboot, making them unusable. The worm spread automatically without requiring users to open email attachments or click links, making it particularly disruptive to network infrastructure.

When RailCorp's systems were infected, the radio network used to coordinate train operations shut down. This critical infrastructure failure meant that train controllers could not effectively communicate with drivers, forcing the network to operate in a severely limited capacity. Some stations were closed entirely, and the network was reduced to operating only 20 trains to maintain basic service while systems were restored.

Impact on Individuals

While no personal passenger data was compromised, the infrastructure attack had significant public impact:

  • Transport disruption: 300,000 passengers were stranded or delayed during the incident
  • Safety concerns: The radio network failure affected critical train coordination and safety communications
  • Economic impact: Commuters faced delays getting to work and appointments, affecting productivity
  • Public confidence: The incident highlighted vulnerabilities in critical public transport infrastructure

The incident affected one of Australia's largest urban rail networks during peak operational hours, demonstrating how malware targeting general computer systems could have cascading effects on critical public infrastructure.

Organisational Response

RailCorp worked to clean infected systems and restore normal operations. The agency implemented emergency procedures to maintain limited train services while addressing the worm infection. Systems were gradually restored as infected computers were identified, cleaned and patched with the appropriate Microsoft security update.

The incident occurred during a global outbreak of the Sasser worm that affected organisations worldwide, including airlines, banks, hospitals and government agencies. The worm's creator, German teenager Sven Jaschan, was arrested the following week on 7 May 2004.

Verification Source: View original statement