The digital theft of personal information about hundreds of customers led SEPTA to shutter its online store this summer, officials said.

According to letters sent this month to the 761 people who were likely victimized, the hack into the e-commerce site led to the theft of information including credit card numbers, names, and addresses, SEPTA spokesperson Andrew Busch said.

The store offered online ticket purchases, along with SEPTA swag like mugs and T-shirts. It wasn’t heavily used, Busch said, and SEPTA was concerned about the breach being a liability in the future.

“Overall, the best decision was to take it down,” Busch said.

The intrusion at shop.septa.org came to SEPTA’s attention July 16 after a customer received a malware warning while using the site. SEPTA was not the only victim of the cyber crime, Busch said, but it was not clear what other businesses were affected.

The thefts could have taken place between June 21 and July 16, the notification letter said, and was done through Magecart, a hacker group that skims credit card information from online shopping systems.

SEPTA's online shop has been shuttered since a data breach there led to the theft of hundreds of customers' personal information.
Jason Laughlin / Staff
SEPTA's online shop has been shuttered since a data breach there led to the theft of hundreds of customers' personal information.

SEPTA shut down its online shop within an hour of discovering the incursion. The website for SEPTA’s Key fare card was not affected, the agency reported.

SEPTA’s information-technology staff identified the source of the data breach in consultation with Spirent, an international IT consultant under contract with SEPTA. The store was hosted by Amazon Web Services. The data taken from SEPTA’s store were made available on the dark web, Busch said.

Amazon did not reply to a request for comment Thursday. Around the same time SEPTA discovered its breach, federal authorities charged a woman in Washington with stealing credit card application information from 106 million people, according to documents filed by the U.S. Attorney’s Office of the Western District of Washington. Capital One was also using Amazon Web Services as a host for its online operations, though the cases do not appear to be related. Federal authorities have reported that Paige Thompson, a former Amazon employee, took data from 30 other companies.

Though SEPTA acted quickly to close the online store, almost two months passed before the victims received notification. Nicholas Rizzio, a Penn State student, received a letter dated Sept. 5 from SEPTA about the theft. By then, a fraudulent charge had already appeared on his credit card, he said.

Four times in August, someone tried to use his MasterCard debit card, Rizzio said, and the fourth transaction, a $31 charge from a British department store, the House of Fraser, processed successfully. It took Rizzio about six days to have the transaction reversed, and he had to cancel his debit card.

Rizzio’s personal information was stolen after he bought Regional Rail tickets to travel to a conference in Philadelphia, he said.

SEPTA’s delay in notifying him of the information theft was frustrating, he said. He received a notification that there were technical problems with the online store, but didn’t initially learn of the theft.

“I do feel dissatisfied,” he said. “They should have told me earlier.”

SEPTA officials said it was not possible to immediately catalog the full scope of the breach.

“What took us some time was making sure we had accurate information on individuals who were affected,” Busch said. “It takes some time to get your hands around it.”