Personal information pertaining to SEPTA’s roughly 9,300 employees might have been compromised during a malware attack that has hindered the authority for nearly three weeks.
“Unauthorized individuals may have accessed” files containing employee names, Social Security numbers, addresses, benefits enrollment information, salary or hourly rate, as well as bank account and routing numbers, SEPTA General Manager Leslie Richards told employees in an email Thursday morning, which was shared with The Inquirer.
“SEPTA prioritizes the protection of the personal information of our employees,” Richards said in the message. “While we are still in the process of confirming the full extent of the data that may have been impacted, SEPTA is providing you with resources as quickly as possible so that you may protect your personal information for actual or attempted use.”
The authority was quick to reassure customers that SEPTA Key accounts were not affected.
A malware attack forced SEPTA to shut down its ability to share real-time information with riders on Aug. 10 to prevent the virus from spreading. Those features, including the SEPTA app’s “Next-to-Arrive” feature and platform announcements, were returned Monday afternoon.
But there isn’t a timeline on restoration elsewhere within the network. SEPTA employees worked without email for about a week, and a lack of access to servers and programs has continued to make their jobs more difficult.
The authority has brought in the FBI and outside information technology experts to assist in the investigation.
SEPTA is offering a year of free credit monitoring to workers through Kroll, a cybersecurity consultant. It’s also set up a call center dedicated to answering employee questions about the attack. Costs of both measures are covered by SEPTA’s cyber insurance, SEPTA spokesperson Andrew Busch said. Letters were also mailed to employees Wednesday.
The authority is encouraging employees to sign up for the credit monitoring for “peace of mind,” Busch said. It’s not clear how long information had been exposed.
SEPTA appears to be concerned that intruders got into its employee database, which has a treasure trove of personal information that can be used for identity theft, said Michael Levy, former chief of computer crimes at the U.S. Attorney’s Office for the Eastern District of Pennsylvania.
“Credit cards get shut down pretty quickly with fraud,” he said. “But if you’re stealing Social Security numbers, the problem now is people start opening [credit] accounts using your Social Security number, and you don’t know about it until you go to buy a car or need financing.”
If hackers stole sensitive information, they’ll likely sell the information on illicit markets in the deep corners of the so-called dark web, Levy said.
Workers should take advantage of the free credit monitoring SEPTA is offering, he said. Consumers are also entitled to free annual credit reports under federal law.
Attackers often access computer systems with “phishing” emails that dupe employees into handing over user credentials or clicking links that download malware, Levy said. The fact that SEPTA’s systems have been down for weeks may mean the agency is still not sure which parts of its computer systems hackers were in and “whether they have them out yet,” he said.
Some of SEPTA’s supervisory, administrative, and management — or SAM — employees expressed frustration to The Inquirer over a lack of communication from the authority on the attack. Employees had been left wondering basic questions such as whether their information was at risk while balancing the many hardships SEPTA faces from the pandemic. Morale at the headquarters is low and wavering, employees said. About 2,000 of SEPTA’s workers are SAM employees.
The authority is encouraging employees to monitor financial statements and contact their banks if they spot any suspicious activity, Richards told employees in the email sent Thursday.
“We weren’t in a position to say it two weeks ago,” Busch said. “It would have been alarming for employees to hear then, I’m sure, as it may be now. But it’s a process that we had to work through, and get things into place. This came to light as we went through further investigation of what happened.”