Computer in Russia breached Metro system amid security concerns, report says (2024)

Listen

11 min

Comment

Gift Article

A personal computer in Russia was used to breach Metro’s computer network this year after the transit agency repeatedly was warned that cybersecurity deficiencies left its systems open to information theft and national security threats, according to a report released Wednesday.

Fast, informative and written just for locals. Get The 7 DMV newsletter in your inbox every weekday morning.ArrowRight

The unauthorized January log-in into Metro’s cloud-based system from a computer belonging to a former IT contractor drew the attention of the transit agency’s Office of the Inspector General (OIG). Metro confirmed the inspector general’s account but disputed its description of the incident as a breach, saying in a statement that documents accessed were related to the former contractor’s work.

The inspector general’s report surfaced deep-rooted problems that the watchdog’s officials say hinder security upgrades and leave the transit agency open to attacks that could threaten train safety. At risk is the nation’s third-largest transit system, responsible for transporting more than 600,000 people a day around the nation’s capital. As Metro increasingly relies on technology — launching a mobile fare card and app during the pandemic while aiming to switch to self-piloting trains this year — investigators said the need for strengthened cybersecurity protections will only rise.

Advertisement

The most recent episode unfolded after the inspector general’s office had warned Metro for months that investigators uncovered widespread and long-standing security issues, including years of missing computer security updates, interdepartmental disputes that hamstring Metro’s cybersecurity team, Russia-based contractors receiving high-level clearances and other security holes that required immediate attention.

Metro’s sluggish response prompted Inspector General Rene Febles in recent weeks to elevate the concerns to federal law enforcement, homeland security and transportation agencies while briefing multiple congressional committees, according to a person with knowledge of the briefings. Several lawmakers confirmed Wednesday that they had been briefed and said they were concerned about problems the inspector general had uncovered.

“These vulnerabilities, if left unaddressed and subsequently become exploited by a threat, could render [Metro] susceptible to unacceptable outcomes,” the report said.

Advertisement

Metro General Manager Randy Clarke acknowledged deficiencies the agency is remediating but said Metro reported the unauthorized login to the Cybersecurity and Infrastructure Security Agency (CISA), which he said “closed the case without comment.”

Transit officials say CISA, the nation’s preeminent cybersecurity authority, and Microsoft, whose products Metro relies on, did not alert Metro of major cybersecurity problems after reviews.

“Safety and security is our core value, and we will continue to prioritize improvements in this area,” Clarke said in a statement.

Metro said in a memo to the Transportation Security Administration that since Sept. 30, it has required employees of one contractor to work on agency projects from within the United States. The name of the company is redacted in the version of the memo Metro released, and the OIG would not disclose the company’s identity.

Advertisement

But in a briefing, Febles referred to EastBanc Technologies, a Washington-based firm with a history of contracts with Metro and government agencies, according to the office of Sen. Mark R. Warner (D- Va.), who is the chairman of the Senate Intelligence Committee.

“Sen. Warner will be keeping a close eye on [Metro’s] oversight of its contractors and its management of IT permissions,” Warner spokeswoman Valeria Rivadeneira said in a statement.

An EastBanc spokeswoman who wouldn’t provide her name said the company ended any relationship with Russia after sanctions were imposed last year following that country’s invasion of Ukraine. She said the company complied with Metro’s security requirements, including that employees be in the United States.

Efforts to reach the individual contract worker involved in the data breach were not successful. The memo to the TSA indicates that he was barred from working with Metro on Jan. 10.

Advertisement

Metro’s security and audit teams did not find indications that anything from the breached system was copied to a Russia-based computer, the report said.

In a response to the OIG that was included in the report, Metro’s chief information officer, Torri Martin, as well as its chief audit and risk officer, Elizabeth Sullivan, said Metro is reviewing recommendations from both the OIG and Microsoft.

“Where a new program or process may be needed, we will develop an actionable plan and milestones based on available resources and appropriate [corrective action plans],” Martin and Sullivan wrote.

Republican and Democratic staff on the Senate Banking Committee, which oversees transit, confirmed Wednesday that they had been briefed by the inspector general. Jessica Collins, a spokeswoman for the Republican-led House Oversight Committee, also said the committee had received a bipartisan briefing from the inspector general.

Advertisement

“We are alarmed by the Inspector General’s findings and will be further examining this issue to ensure any vulnerabilities in [Metro’s] cybersecurity operations are addressed in order to protect sensitive data and networks,” Collins said in a statement.

Sen. Tim Kaine (D-Va.) said the transit agency needs to “step it up” and move quickly to shore up its cybersecurity.

Congress and the federal government repeatedly cite Metro, including its 97 stations and miles of underground tunnels, as a national security priority. Congress has held hearings to review whether Metro was adequately protected from terrorist attacks, and lawmakers in 2019 passed a provision that banned the agency from hiring a rail car manufacturer in China, concerned they could be built with capabilities for the Chinese government to spy on Washington or to launch cyberattacks.

Congress restricts Metro from buying rail cars made by China-based manufacturer

The inspector general’s office has raised concerns about Metro’s computer security in the past. In 2018, the OIG completed an audit that found the transit agency was vulnerable to attack, but it decided to keep the full findings secret so as not to reveal specific weaknesses. In 2020, another report highlighted opportunities for Metro to improve security. Those details also were kept secret.

Advertisement

The report released Wednesday said Metro didn’t act on more than 50 previous cybersecurity recommendations from oversight agencies dating back to 2019.

“During OIG’s investigation, evidence has surfaced that [Metro], at all levels, has failed to follow its own data handling policies and procedures as well as other policies and procedures establishing minimum levels of protection for handling and transmitting various types of data collected by [Metro],” the report said.

The audit also touched on train safety, which was not related to the OIG’s investigation into foreign-based contractors but deemed by investigators to be an urgent matter. The report indicated that some of Metro’s trains were found by an outside contractor in 2019 to have cybersecurity vulnerabilities. Metro hired a firm to probe the trains for vulnerabilities, and according to the report, “the security company determined that the risk to [Metro’s] train in its current configuration was ‘critical.’”

Advertisement

Those findings were not turned over to the inspector general’s office until this past February, the report said. The type of train with vulnerabilities is redacted, but the description of the testing matches an initiative Metro launched to test the security of its latest 7000-series cars.

In its response to the inspector general, Metro said the security testing firm was never able to access the trains’ automatic train controls. The agency said suppliers are working to fix the weaknesses but that those efforts had been slowed by the pandemic.

Metro will return to automatic train system for first time in 14 years

The Washington Metrorail Safety Commission, an independent regulatory agency Congress created to monitor Metrorail safety, said in a statement Wednesday that Metro has reduced cybersecurity risk on trains.

“We look forward to Metrorail ensuring that it implements remaining changes in a timely, coordinated fashion as part of its continuous improvement process,” the statement said.

Advertisement

The most recent intrusion investigation and subsequent report stems from a routine cybersecurity audit that began in January last year by the OIG, an independent agency that works to ferret out waste, theft, crimes or the misuse of agency property or power.

Weeks after starting the audit, OIG investigators paused it, shifting to determining the depth of issues and making recommendations Metro could use for urgent changes and upgrades. Among the issues were contractors working from Russia on Metro projects. The employees who worked for EastBanc were tasked with helping Metro to modernize its SmarTrip fare card service payment processing system and developing a more efficient method of refund processing, according to the company’s website. The company has contracted with Metro for over a decade.

Russia had a bustling IT outsourcing sector, but foreign technology companies were quick to pull out of the country after it invaded Ukraine.

Nitish Mittal, a partner at research firm Everest Group, said continuing to maintain ties with Russia presented reputational and security risks after the war began, noting that it was relatively easy for IT companies to leave. Mittal said companies are increasingly looking to ensure their outside technology teams are in friendly countries, a concept he referred to as “ally-shoring.”

“Going forward, we do see clients trying to future-proof how they source talent,” he said.

Federal cybersecurity officials said they have seen increased cyberattacks from Russia driven by either crippling economic sanctions imposed on the country or because of the material support that the United States and allies are providing Ukraine.

On May 9, CISA issued an alert warning businesses and agencies to protect against a sophisticated cyberespionage tool, or “snake,” designed by Russia’s Federal Security Service for long-term intelligence collection on targets such as government networks. The malware was detected in 50 countries, CISA said.

In response, Febles issued a rare alert about a week later to Metro’s then-interim general manager, Andy Off. The alert stressed the importance of expediting cybersecurity upgrades.

Metro cybersecurity audit highlights growing concerns at agencies across the country

The OIG continued to investigate the contractors who had been working in Russia and subpoenaed background checks the transit agency requires that contractors conduct on their employees — a process investigators want Metro to review in light of the recent concerns, according to the report.

Those subpoenaed records showed that more than one-third of background checks used the same last four digits of a social security number, the report said. The EastBanc spokeswoman said the company accurately submitted Social Security and government records as requested. Metro pledged to resolve the vulnerabilities.

On Jan. 4, the transit agency’s cybersecurity staff received notice that a computer in Russia had accessed Metro’s system, which the report described as being a “sensitive” Metro directory. According to the inspector general’s report, the office’s investigation traced the breach to the home computer of an employee whose contract had expired.

OIG investigators determined that the man used his still-active log-in and password while remotely accessing his computer in Russia. Investigators found the worker’s initial story about the incident not to be truthful, the report said.

“Since the former contractor’s high-level administrative access had not been revoked, he was able to remotely access his personal computer in Russia to log into [Metro] systems containing critical and sensitive [Metro] data,” the OIG report said.

Investigators asked Metro’s IT manager, whose role includes terminating such log-ins and passwords, why the account was still active. They learned that an IT supervisor had allowed the former contractor to retain his high-level access while hoping the company would rehire him, according to the report.

In its memo to the TSA, Metro said the contractor’s access had been reenabled due to a “business process error.”

Metro said it reported the incident to the Department of Homeland Security’s cybersecurity office, which closed the report “without comment.” The DHS office referred questions back to Metro. The transit agency has also created a chief digital officer position reporting directly to Clarke.

The inspector general’s report said concerns about contractors’ links to Russia “still stand.”

“One of the OIG’s gravest concerns identified … was access to [Metro] data by foreign nationals who were supporting sensitive applications and systems from Russia,” the report said.

More coverage: Air travel, transit, railroads

Potomac Yard: New Metro station, decades in the making, opens in Alexandria

Metro breach: Computer in Russia breached system amid security concerns

Union Station: Feds release updated $8.8 billion redevelopment plan

Unpaid tickets: How 6 million D.C. traffic tickets weren’t paid

Traveling and commuting in D.C.

HAND CURATED

  • D.C. struggles to rein in risky drivers. One car has $186,000 in tickets.May 2, 2023D.C. struggles to rein in risky drivers. One car has $186,000 in tickets.May 2, 2023
  • Potomac Yard Metro station, decades in the making, opens in Alexandria May 19, 2023Potomac Yard Metro station, decades in the making, opens in Alexandria May 19, 2023
  • Computer in Russia breached Metro system amid security concerns, report saysMay 17, 2023Computer in Russia breached Metro system amid security concerns, report saysMay 17, 2023

Computer in Russia breached Metro system amid security concerns, report says (2024)

FAQs

Computer in Russia breached Metro system amid security concerns, report says? ›

A personal computer in Russia was used to breach Metro's computer network this year after the transit agency repeatedly was warned that cybersecurity deficiencies left its systems open to information theft and national security threats, according to a report released Wednesday.

Did MetroPCS have a data breach? ›

Security researchers discovered a security flaw in the website of T-Mobile US' (NYSE:TMUS) MetroPCS prepaid brand that could have allowed digital thieves to steal customers' home address, type of plan and even their phone's model and serial number.

What happens if cyber security is breached? ›

Reputational damage

Loss of customer and stakeholder trust can be the most harmful impact of cybercrime, since the overwhelming majority of people would not do business with a company that had been breached, especially if it failed to protect its customers' data.

Is it cyber security or cybersecurity? ›

two word spelling difference may simply come down to regional preference – American authors tend to use cybersecurity as one word, whereas British professionals have been known to separate the word into two.

What is cyber security in it? ›

Cyber security refers to every aspect of protecting an organization and its employees and assets against cyber threats. As cyberattacks become more common and sophisticated and corporate networks grow more complex, a variety of cyber security solutions are required to mitigate corporate cyber risk.

Is My computer being breached? ›

If your computer is hacked, you might notice some of the following symptoms: Frequent pop-up windows, especially the ones that encourage you to visit unusual sites, or download antivirus or other software. Changes to your home page. Mass emails being sent from your email account.

What are my rights if my data has been breached? ›

Under data protection law, you are entitled to take your case to court to: enforce your rights under data protection law if you believe they have been breached. claim compensation for any damage caused by any organisation if they have broken data protection law, including any distress you may have suffered, or.

Does data breach mean hacked? ›

' But not all cyberattacks are data breaches—and not all data breaches are cyberattacks. Data breaches include only those security breaches in which the confidentiality of data is compromised. So, for example, a distributed denial of service (DDoS) attack that overwhelms a website is not a data breach.

How does a data breach affect me? ›

Data leaks can reveal everything from social security numbers to banking information. Once a criminal has these details, they can engage in all types of fraud under your name. Theft of your identity can ruin your credit, pin you with legal issues, and it is difficult to fight back against.

What do hackers do with breached data? ›

1. Hackers can sell your data to other criminals

One way hackers profit from stolen data is selling it in masses to other criminals on the dark web. These collections can include millions of records of stolen data. The buyers can then use this data for their own criminal purposes.

Which government agency is responsible for cyber security? ›

The Cybersecurity and Infrastructure Security Agency (CISA) defends critical infrastructure against threats.

What are the 5 types of cyber security? ›

The 5 Types of Cybersecurity and What You Need to Know
  • Critical infrastructure security.
  • Application security.
  • Network security.
  • Cloud security.
  • Internet of Things (IoT) security.
Dec 26, 2022

Who is responsible for cyber security? ›

Chief Technology Officer (CTO)

As the individual responsible for overseeing all the technical aspects of an organization, the CTO is often the steward of the entity's data. Cybersecurity-related responsibilities can include ensuring technology solutions are in place to keep networks up and running after a breach.

What is the 3 types of computer security? ›

In this post, we will focus on the different types of computer security such as application security, network security, internet security, data security, information security and end user security.

Why are cyber security breaches so harmful? ›

Cyber attacks can cause electrical blackouts, failure of military equipment, and breaches of national security secrets. They can result in the theft of valuable, sensitive data like medical records. They can disrupt phone and computer networks or paralyze systems, making data unavailable.

How do you keep cyber safe? ›

How to stay cyber safe
  1. Use strong passwords.
  2. Turn on 2-step authentication.
  3. Think before you click.
  4. Be careful what you share.
  5. Avoid public wi-fi.
  6. Update your software.
  7. Act immediately.
  8. Links.
Apr 20, 2023

What are the 2 possible signs that you have been hacked? ›

Common warning signs of a cyberhack
  • Password reset emails. ...
  • Random popups. ...
  • Contacts receiving fake emails or text messages from you. ...
  • Redirected internet searches. ...
  • Computer, network, or internet connection slows down. ...
  • Ransomware messages.
Mar 13, 2023

What is the first thing you do when you get hacked? ›

Step 1: Change your passwords

This is important because hackers are looking for any point of entry into a larger network, and may gain access through a weak password. On accounts or devices that contain sensitive information, make sure your password is strong, unique—and not easily guessable.

Can hackers see your screen? ›

Remote access tools: Hackers can use remote access tools to take control of a victim's device and use it to view or control the victim's screen. This is probably the most common image we think of when people think of hacking screens.

Can I sue if my data is breached? ›

Yes, after a data breach, those affected can bring a data breach lawsuit against the company. However, to succeed in their claim, the victim must prove that the company was negligent or otherwise violated the United States data breach laws.

How much is the data breach settlement? ›

More Information About the Settlement

The settlement includes up to $425 million to help people affected by the data breach. The initial deadline to file a claim in the Equifax settlement was January 22, 2020.

Can you stop a data breach? ›

You can purchase security software and automate it to run on a continuous basis. Firewalls, anti-virus software, and anti-spyware software are important tools to defend your business against data breaches. Work closely with an internet security team or provider to set these up correctly.

Is a data breach something to worry about? ›

If your personal information is exposed in a data breach, it's important to act quickly to secure your bank and credit card accounts and to take additional steps to prevent credit fraud.

What does it mean when there is a data breach? ›

A data breach is an incident where information is stolen or taken from a system without the knowledge or authorization of the system's owner. A small company or large organization may suffer a data breach.

What are the 3 types of data breaches? ›

Stolen login credentials, pilfered funds, or a leak of intellectual property are all types of data breaches.

What you should do after a data breach? ›

You should change all affected or vulnerable passwords immediately. Use a password manager and create new, strong passwords for each account, and refrain from reusing the same passwords on multiple accounts. That way, if a data breach happens again in the future, the damage may be limited.

What are 4 consequences of data breach? ›

Data breaches can affect the brand's reputation and cause the company to lose customers. Breaches can damage and corrupt databases. Data breaches also can have legal and compliance consequences. Data breaches also can significantly impact individuals, causing loss of privacy and, in some cases, identity theft.

What type of information do hackers look for? ›

Personal data

While passport information sells for the most amount of money, Social Security numbers are the most valuable to hackers, as these can be used for tax fraud, opening credit accounts, and other malicious activities.

How do hackers gain access to your account? ›

With the help of a kind of spyware known as a keylogger program, you are tracked while typing on the infected device. By recording your keystrokes, the hacker can steal your passwords and other sensitive data and use it to access your accounts, including email, social media and online banking.

What are the 4 common causes of data breaches? ›

Six Common Causes of Data Breaches
  • Cause 1. Insider Threats Due to Misuse of Privileged Access. ...
  • Cause 2. Weak and Stolen Passwords. ...
  • Cause 3. Unpatched Applications. ...
  • Cause 4. Malware. ...
  • Cause 5. Social Engineering. ...
  • Cause 6. Physical Attacks.
Sep 30, 2022

Who protects the US from cyber attacks what are their responsibilities? ›

The FBI is the lead federal agency for investigating cyber attacks and intrusions. We collect and share intelligence and engage with victims while working to unmask those committing malicious cyber activities, wherever they are.

What government agency is the leader in investigating cyber attacks and computer crime in America? ›

National Cyber Investigative Joint Task Force — FBI.

What is the White House Executive Order 14028? ›

Executive Order (EO) 14028, "Improving the Nation's Cybersecurity" pushes agencies to adopt zero trust cybersecurity principles and adjust their network architectures accordingly.

What are the top 4 cyber-attacks? ›

What are the 10 Most Common Types of Cyber Attacks?
  • Phishing.
  • Spoofing.
  • Identity-Based Attacks.
  • Code Injection Attacks.
  • Supply Chain Attacks.
  • Insider Threats.
  • DNS Tunneling.
  • IoT-Based Attacks.
Feb 13, 2023

Which of the following does not pose a threat to computer security or privacy? ›

The correct answer is Debugging. In computer programming and software development, debugging is the process of finding and resolving bugs within computer programs, software, or systems.

What are the 3 A's of cyber security? ›

Authentication, Authorization, and Accounting (AAA) is a three-process framework used to manage user access, enforce user policies and privileges, and measure the consumption of network resources.

Which internet sites are the favorite targets of hackers? ›

What kind of websites do hackers look to target?
  • E-commerce websites. Often hackers can find vulnerabilities within an e-commerce website, especially ones using common coding or shopping cart software. ...
  • Small businesses. ...
  • News outlets. ...
  • Healthcare. ...
  • Government. ...
  • Financial services. ...
  • Non-profit. ...
  • Online retailers.

What cell phone carrier has a data breach? ›

The breach follows T-Mobile in January saying a "bad actor" took advantage of one of its application programming interfaces to gain data on "approximately 37 million current postpaid and prepaid customer accounts."

Who is affected by T-Mobile data breach? ›

In 2019, T-Mobile exposed the account information of an undisclosed number of prepaid customers. In March 2020, T-Mobile employees were affected by a data breach exposing their personal and financial information.

Why is Metro data not working? ›

Verify you are in the Metro coverage area using our Coverage Map. Turn your phone off and back on again to power cycle the device. Check that the following settings in your phone are accurate: Mobile data is enabled, Wi-fi is off, Airplane mode is off, Any mobile data limits are disabled.

What was the recent data breach with T-Mobile? ›

The Breakdown You Need To Know: T-Mobile believes the attacker first retrieved data around November 25th, 2022, through one of its APIs. However, this is nothing new for the telecom company as it has disclosed eight hacks since 2018, with previous breaches exposing customer call records in January 2021.

What is the most common Mobile security breach? ›

Top Mobile Security Threats
  1. Malicious Apps and Websites. Like desktop computers, mobile devices have software and Internet access. ...
  2. Mobile Ransomware. ...
  3. Phishing. ...
  4. Man-in-the-Middle (MitM) Attacks. ...
  5. Advanced Jailbreaking and Rooting Techniques. ...
  6. Device and OS exploits.

Can someone steal your cellular data? ›

Smartphones hold everything from email and phone contacts to banking and website login credentials. Hackers can sell this data on the dark web, use it to commit identity theft, or carry out a host of other cybercrimes.

How much will I get from T-Mobile data breach settlement? ›

Any time or money that you spent to recover assets lost from fraud or identity theft can be eligible for payments, up to a total value of $25,000. However you should bear in mind that you will need to go through an extensive documentation process to prove the legitimacy of your claim.

How much is the payout for T-Mobile data breach? ›

T-Mobile's $350 million settlement was one of the largest data breach payouts in US history. After a 2021 cyberattack exposed millions of customers' personal information, T-Mobile agreed to a $350 million settlement to resolve claims that its negligence led to the breach.

How do I know if I qualify for T-Mobile settlement? ›

T-Mobile has identified 76 million US citizens whose information was exposed in the data leak. How do I know if I am part of the Settlement? Class members were mailed notices of the proposed settlement, but you can check your eligibility by contacting the settlement administrator by phone at 833-512-2314 or via email.

How do I check my metro data? ›

You can check your data usage in your Metro by T-Mobile My Account. In addition, you will receive a text message on your T-Mobile Internet Gateway as well as on the oldest voice line (by date) on your account. The first text message will let you know you have reached 80% of your data usage.

Is Metro really unlimited data? ›

What does Metro by T-Mobile offer for high speed data? The $40 rate plan includes unlimited talk text and data on our 5G & 4G LTE network with 10GB of high-speed data. The $50 and $60 rate plans include unlimited high-speed data, talk, and text.

What network operator is MetroPCS? ›

Metro by T-Mobile Customers Get the Best from T-Mobile's Network.

How many times has T-Mobile been hacked? ›

Hackers Claim They Breached T-Mobile More Than 100 Times in 2022. Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests.

Is there a settlement for T-Mobile breach? ›

In August 2021, T-Mobile suffered a cyberattack that compromised the personal information of more than 75 million consumers. The subsequent class action lawsuit resulted in the mobile telecommunications company agreeing to a $350 million settlement, according to CNET.

What do I need to know about T-Mobile data breach? ›

The company disclosed in notification letters issued to impacted customers on April 28th that a hacker managed to access information such as full names, dates of birth, addresses, contact information, government IDs, social security numbers, and T-Mobile account pins.

References

Top Articles
Latest Posts
Article information

Author: Msgr. Refugio Daniel

Last Updated:

Views: 5493

Rating: 4.3 / 5 (54 voted)

Reviews: 85% of readers found this page helpful

Author information

Name: Msgr. Refugio Daniel

Birthday: 1999-09-15

Address: 8416 Beatty Center, Derekfort, VA 72092-0500

Phone: +6838967160603

Job: Mining Executive

Hobby: Woodworking, Knitting, Fishing, Coffee roasting, Kayaking, Horseback riding, Kite flying

Introduction: My name is Msgr. Refugio Daniel, I am a fine, precious, encouraging, calm, glamorous, vivacious, friendly person who loves writing and wants to share my knowledge and understanding with you.