SEPTA was attacked by ransomware, sources say. It’s still restoring operations stifled since August.
“We've got to make sure that as anxious as people are to get back in full force and the old way they were doing things, we can’t give into that pressure," said a SEPTA official.
SEPTA has yet to fully restore operations stifled by a malware attack that has exasperated employees and prompted assistance from the FBI.
The August attack caused the authority to halt access to employee email and stop sharing real-time travel information with riders. It also disrupted routine scheduling practices on SEPTA’s Customized Community Transportation Connect, or CCT. Since then, the authority said it’s found workarounds or restored much of what had been affected. But after months, SEPTA employees still can’t get to files on shared drives or gain internet access at its headquarters in Center City.
The authority is “going inch-by-inch on purpose," as it scans for evidence of malware, said Gino Benedetti, SEPTA general counsel who is overseeing SEPTA’s recovery from the attack. There is no timeline on a complete restoration.
“We’ve got to make sure that as anxious as people are to get back in full force and the old way they were doing things, we can’t give in to that pressure," Benedetti said.
Benedetti offered no comment on details, such as the type of attack or how SEPTA’s servers became infected, citing an internal investigation. According to multiple sources at the authority, SEPTA suffered a ransomware attack that involved a financial exchange covered through its cyber liability insurance. The sources declined to be named because they were not authorized to speak for SEPTA.
An FBI spokesperson did not comment on whether suspects have been identified or whether action has been taken by the bureau.
“We remain in contact with SEPTA and continue to provide all appropriate assistance,” the spokesperson said in a statement.
A ransomware attack is “essentially an extortion,” said Robert D’Ovidio, associate professor at Drexel University’s department of criminology and justice studies.
“Often what we’re seeing, the trend is for insurance companies to pay out,” D’Ovidio said. “When we talk about large organizations like SEPTA, we’re not talking about $1,000. We’re talking about hundreds of thousands of dollars in ransom that’s being paid out.”
If SEPTA paid the ransom, the authority is likely combing through its network to find what’s been touched or whether malicious code was left behind in an effort to prevent “any surprises three months down the road,” he said.
Malware attacks on an organization of SEPTA’s size are not uncommon, said Andreas Haeberlen, associate professor at the University of Pennsylvania’s department of computer and information science, pointing to hacks on Sony Pictures and the U.S. Office of Personnel Management in recent years. SEPTA has about 9,300 total employees.
“Pretty much any organization, large or small, that has computers that are connected to the internet is getting attacked all the time,” Haeberlen said. “But most of these attacks are fairly simple, automated attacks, and typically, most of them fail.”
SEPTA’s servers could have become infected in a variety of ways, such as opening a bad email attachment, or someone who “installed software from an untrusted source,” Haeberlen said.
The authority renewed cyber liability insurance with American International Group, Starr Insurance Cos., Axa XL, and Beazley Group in December. In an email sent in August, SEPTA general manager Leslie S. Richards told employees that personal information, including Social Security numbers and bank accounts, were possibly compromised.
“It’s been extremely difficult for our employees,” Benedetti said. “If I were to say otherwise, it would not be accurate. You can imagine for yourself, that all of a sudden all of your files that you take for granted every day are taken away from you, and you don’t have access to them."
The authority has offered a year of free credit monitoring and set up a call center to answer employee questions. As of now, there is no evidence that personal information of employees, employee beneficiaries, or vendors has been stolen, Benedetti said.
During the SEPTA board’s meeting last month, Richards thanked employees for “their patience and understanding” as the authority continues “to address and recover from the recent malware attack."
“Our IT team continues to work diligently to fully restore and improve our network, safeguard personal information and security of our IT systems, and build a better system for the future,” she said.