MTA Hacked in April Cyberattack; Employee, Customer Info Was Not Compromised

The MTA became the target of a cyberattack this past April, MTA officials confirmed. However, the intrusion did not pose any risk to employee or customer information.

According to MTA officials, on the evening of April 20, CISA, NSA and FBI issued joint alert that there was a discovered zero day vulnerability, which means no one in the world was aware of the attack at the time it took place.

By the next morning, recommendations for fixes and patches were issued by CISA and were implemented by the MTA immediately. The patches were applied to the three impacted systems. In total 18 different systems exist within the MTA of which three were impacted.

The MTA also immediately engaged IBM and Mandiant (which is owned by leading cyber firm FireEye) on April 21 to perform a forensic audit, according to MTA officials. The forensic audit performed by IBM and Mandiant found no evidence that accounts were compromised, no employee information was breached and no data loss or vital changes took place. The MTA said that the hackers did not have any impact on train service, either.

Although there was no impact to employees or customers, as an additional layer of protection and as a precautionary measure, the MTA forced a password change for 3,700 users (employees and contractors), MTA officials said, adding that the agency also forced migration off of their VPN to other VPNs. Overall, this change impacted 5 percent of MTA employees and contractors and they were notified of this.  

MTA officials also stressed that the agency's multi-layered security system prevented unauthorized access to MTA’s other internal systems and the agency continues to add more layers of protection, which is in line with businesses and governments worldwide who were also targeted by such cyberattacks.

In a statement, Rafail Portnoy, the Chief Technology Officer for the MTA, said that the agency responded "quickly and aggressively" to the attack. In the end, no employee or customer information was compromised, he said.

"The MTA quickly and aggressively responded to this attack, bringing on Mandiant, a leading cyber security firm, whose forensic audit found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems. Importantly, the MTA’s existing multi-layered security systems worked as designed, preventing spread of the attack and we continue to strengthen these comprehensive systems and remain vigilant as cyber-attacks are a growing global threat," Portnoy said in his statement. 

The MTA didn't immediately divulge if they had any idea who the hackers were, although an official familiar with the investigation said the hack may be linked to a group based in China.

Former FBI agent and cybersecurity expert Timothy Gallagher said hacks such as this one are comming.

"These types of things happen every day, but what we're seeing here is he attackers did not get that far into the system from what we're seeing," Gallagher said. "That's because of the segmentation of the system in the architecture that was done by the MTA, which prevented the threat actors from moving laterally through the system."

The FBI declined to comment on the hack.