Iranian Hackers Breach Los Angeles Transit System, Data Stolen
Impact Assessment Rationale
While the breach of LA Metro and other named entities by Iranian state-sponsored hackers is operationally significant, the source provides no insured loss estimate, no confirmed cyber insurance claims, no evidence of physical damage to commercial infrastructure, and no named insurer or reinsurer response. The mention of a Turkish insurance brokerage as a target is noted but no loss pathway for that entity is described. This remains a watch-list item for cyber underwriters pending claims or loss quantification.
View assessment methodology →Loading map...
Geographic Zone Matches
3 active matches
- TRIA Certified AreasRule-basedConfidence 100%
- Caribbean Hurricane ZoneRule-basedConfidence 100%
- Pacific Ring of FireRule-basedConfidence 100%
Geographic zone matches are RiskEvents spatial/analytical indicators, not coverage determinations or Lloyd's official classifications.
Summary
Israeli cybersecurity firm Jambit Security has linked Iranian state-sponsored hackers (via group 'Ababeel Minab') to a March 2026 breach of the Los Angeles Metropolitan Transportation Authority, resulting in theft of at least 700GB of data and partial network shutdown. The same group has claimed attacks on South Florida's Tri-Rail commuter system and vehicle-tracking firm Vynx, with additional targets including an insurance brokerage in Turkey. No credible insured loss estimate is provided and no confirmed physical damage or claims action is referenced in the source.
This summary is AI-generated from linked source reports and may change as more information becomes available. See our correction policy for how to report errors.
Structured Intelligence
known
- Iranian-linked group 'Ababeel Minab' breached LA Metro in March 2026, confirmed by Israeli firm Jambit Security
- At least 700GB of emails, backups, and files were stolen from LA Metro
- The breach forced shutdown of parts of LA Metro's network
- Tri-Rail (South Florida) and Vynx vehicle-tracking firm also confirmed breaches
- FBI is engaged and coordinating on the incidents
- An insurance brokerage in Turkey was among named additional targets
reported
- Jambit Security's forensic evidence links the server holding stolen data to a previously known Iranian hacking operation
- Iranian hackers have been conducting a sustained series of cyber operations since the US-Israel war on Iran began in late February 2026
- Ababeel group also reportedly targeted a media outlet and educational institution in Israel
- Iranian hackers reportedly tampered remotely with fuel gauges at gas stations (per CNN)
uncertain
- Attribution to Iranian state has not been officially confirmed by US government
- Full scope of data compromised at Tri-Rail and Vynx is unknown
- Identity of the Turkish insurance brokerage targeted is not disclosed
- No insured loss quantum or claims action has been reported
- Whether any cyber insurance policies have been triggered is unknown
Affected Countries
Key Entities
Sources
Trade Media
- The Record (Cyber)27 May 2026, 13:38
Mainstream Media
- Asharq Al-Awsat (Arabic)26 May 2026, 14:24
Social / Community
- r/LAMetro27 May 2026, 20:54
Timeline
Lifecycle changed
active → monitoring
Status changed to monitoring
Auto-transitioned: no updates for 6 hours
Lifecycle changed
developing → active
Status changed to active
Auto-promoted: 3+ sources
Corroborating source
Iranian state-linked hackers attributed to the Ababil of Minab group breached the Los Angeles County Metropolitan Transportation Authority (LACMTA) in March, stealing 700GB of emails, backups and files. The attack disrupted arrival screens and transit card top-up systems but did not halt train or bus operations. The same group has claimed attacks on Tri-Rail, a vehicle tracking company, and a Saudi infrastructure firm, with an insurance brokerage in Turkey also reportedly among victims.
The saboteurs stole at least 700 gigabytes of emails, backups and other files from the Los Angeles County Metropolitan Transportation Authority (LACMTA), according to Gambit Security, a Tel Aviv-based cybersecurity firm that said it discovered the misappropriated data after it was inadvertently exposed online.
Source: r/LAMetro (Social / Community) · View source
Lifecycle changed
signal → developing
Status changed to developing
Auto-promoted: multiple sources
Corroborating source
Researchers at Gambit Security have attributed a hack of the Los Angeles transit system to a group with ties to Iran's Ministry of Intelligence (MOIS), despite the group presenting itself as an independent hacktivist collective. The incident represents a state-sponsored cyber operation against US critical infrastructure. While the attack is confirmed, no loss estimates, operational disruption details, or insured asset damage have been reported in the source.
The hacking group claimed to be a standalone hacktivist crew but actually has ties to the Ministry of Intelligence of the Islamic Republic of Iran (MOIS), researchers at Gambit Security said in a report published Tuesday.
Source: The Record (Cyber) (Trade Media) · View source
Initial Detection
Israeli cybersecurity firm Jambit Security has linked Iranian state-sponsored hackers (via group 'Ababeel Minab') to a March 2026 breach of the Los Angeles Metropolitan Transportation Authority, resulting in theft of at least 700GB of data and partial network shutdown. The same group has claimed attacks on South Florida's Tri-Rail commuter system and vehicle-tracking firm Vynx, with additional targets including an insurance brokerage in Turkey. No credible insured loss estimate is provided and no confirmed physical damage or claims action is referenced in the source.
أوضح سيلا أن الهجمات تضمنت استهداف مؤسسة إعلامية ومؤسسة تعليمية في إسرائيل، وشركة وساطة تأمينية في تركيا
Source: Asharq Al-Awsat (Arabic) (Mainstream Media) · View source