August 26, 2020
A suspected malware attack that compromised some of SEPTA's networks earlier this month is under investigation by the FBI and other cybersecurity experts.
On Aug. 10, SEPTA's IT department detected suspicious activity indicating that there had been unauthorized access to the transit authority's servers. As soon as the issue was recognized, SEPTA shut down its servers in order to prevent more widespread damage.
In a statement at the time, SEPTA said it had disabled real-time data, such as TrainView, and referred riders to printed schedules and station personnel for information.
We apologize for the inconvenience but we are experiencing system-wide technical difficulties at this time. TrainView and other real-time data features have been disabled. Please consult printed schedules or station personnel for additional information.— SEPTA_SOCIAL 😷 (@SEPTA_SOCIAL) August 10, 2020
Two weeks after the suspected cyberattack, SEPTA is still sorting through what figures to be a lengthy recovery process, a spokesperson said.
"SEPTA's focus from the time it happened through now was on mitigating the damage," spokesperson Andrew Busch said. "Then we wanted to bring back our servers as soon as possible, but only when we were sure it could be safe. That involved scanning files. It's going to continue going on for a while."
In addition to the temporary loss of real-time TransitView information, approximately 2,200 employee email accounts were impacted by the attack, as well as employee access to some SEPTA databases.
The real-time transit updates were fully restored on Monday, Busch said, and "almost all" employee email accounts have been brought back, though access to some shared drives remains limited.
"It's going to still be a bit of a long process to make sure that things are getting back up again," he said.
Fortunately, no rider data was compromised by the cyberattack. The SEPTA Key server, operated by a third party, is completely separated and air-gapped from other SEPTA servers.
The FBI and forensics experts are investigating what happened and assisting SEPTA in determining what data may have been accessed during the breach.
After a ransomware attack on San Francisco's SFMTA transit system in 2016, it was determined that the city had been using Windows 2000, an end-of-life product no longer supported by Microsoft. That cyberattack – far more disruptive than SEPTA's – prevented riders from adding money to their payment cards and forced SFMTA to open entry gates for free.
More recently, in June, a ransomware gang hacked into the Trinity Metro transit agency in Fort Worth, Texas, taking control of private files and threatening to release them unless a large sum of money was paid.
SEPTA runs its systems on Windows 10 and is fully supported and updated by Microsoft. The motivation for the cyberattack remains unclear and SEPTA said it could not comment on whether it received any ransom or extortion threat.
"Exactly what they were after, we're not sure of that," Busch said.
SEPTA does have cyber insurance, but it remains to be determined how much will be covered and what costs will be associated with the recovery. In the midst of declining ridership during the coronavirus pandemic, the incident has compounded SEPTA's current predicament.
"Certainly any time something like this happens, it's going to take work to get back online," Busch said. "We're already in a situation where ridership has declined. We certainly don't want this to discourage people."
The transit authority especially has had trouble navigating employee workflow issues that have arisen as a result of the attack.
"We have been communicating to our employees through internal channels. As you can imagine, particularly for that first week, when none of us had email, and many of us are working remotely, it was difficult to get the word out to people," Busch said. "Everybody's spread out. If this had happened pre-COVID, at least you would have had people coming to the building and a more centralized way to reach people. We're still in the process of reaching out to people."
From the standpoint of SEPTA riders, it appears the disruptions caused by the attack have been addressed. For SEPTA employees, it may take a while to sort out the remaining issues.
"It's another challenge in what has been a very challenging time to work through," Busch said. "We know there are still many things to address, and communicating with our employees is a high priority. We want to fill them in as much as possible."
As the investigation continues, Busch said SEPTA will continue to work with the FBI and other partners.
"I imagine there will be a report on that at some point," Busch said. "We have to consult with them as we go through that process."