A malware attack two weeks ago continues to stifle SEPTA and has left some employees exasperated while they search for answers with little communication from the authority.
An attack on its servers halted SEPTA’s ability to give riders real-time travel information from Aug. 10 until Monday afternoon, sending them back to an era when all they had was an educated guess on when a train would come.
The effect behind the scenes left employees scrambling to find colleagues’ phone numbers and resorting to personal email accounts as many work remotely. Lack of access to SEPTA servers where files and projects are stored also has made their jobs harder.
The workers are balancing the logistics, but unsure when access will be restored, or whether their personal information has been compromised. The lack of communication about the outage is the “straw that broke the camel’s back” for some SEPTA supervisory, administrative, and management — or SAM — employees, already overwhelmed as they navigate challenges of the COVID-19 pandemic, according to several sources who asked that their names not be used because they feared losing their jobs.
“Morale is really, really low,” one SAM employee told The Inquirer. “It’s been low for a long time, and I think this is just kind of the thing that pushed people over the edge.”
A majority of SAM employees are not unionized, and those who spoke with The Inquirer described “a culture of fear and reprisals” at the organization. SEPTA has about 9,300 total employees, about 2,040 of which are SAM employees.
“I think about quitting every day,” one source said.
The FBI and outside information technology experts are assisting SEPTA in its investigation of the attack, the authority said. There is no timeline for full restoration.
“Everything that we’re doing, it’s a process, and what we don’t want to do is say the wrong thing, be wrong about something, guess at something,” said Fran Kelly, SEPTA assistant general manager for public and government affairs. “There’s no guessing here.”
The severity of SEPTA’s malware attack seems “pretty high” as it’s been the cause of so much disruption, said Michael Levy, former chief of computer crimes at the U.S. Attorney’s Office for the Eastern District of Pennsylvania. The attack caused SEPTA to shut down access to payroll and remote timekeeping, and there’s no internet at SEPTA headquarters at 12th and Market Streets. SEPTA has found a way for most employees to regain email access through a “cloud-based” system.
The length of time that systems have stayed down suggests malware may have “infected a whole lot of things” or hasn’t been seen before, Levy said. SEPTA does not know how much has been infected, the spokesmen said.
Authorities investigating such cyberattacks often look for “log files,” such as emails that came in and the IP addresses they came from, as potential leads, Levy said.
Attackers often access computer systems with “phishing” emails that dupe employees into handing over user credentials or clicking links that download malware. SEPTA does not know whether issues arose from a phishing attempt. It’s “continuing to look at” whether personal information has been compromised.
Officials can say that SEPTA Key card information wasn’t comprised. There also has “been no disruption to SEPTA’s operations,” the authority said.
The malware issue does seem to have involved Customized Community Transportation Connect, referred to as CCT, said Kellie Flanagan, a social worker who recently attempted to schedule a ride for a client to get to a doctor’s appointment and was told its “computer systems are down.”
“I was frustrated on behalf of the client, but I was also frustrated with the lack of information,” Flanagan said.
“I feel that it’s discrimination because we feel that if an able-bodied person had this problem or a similar problem, SEPTA would have taken care of it faster,” said CCT rider Colleen Marinelli, 59. “It’s like saying that because you’re disabled, where you have to go isn’t important.”
The malware attack forced SEPTA to pause CCT’s routine scheduling abilities, but SEPTA shifted operations in the interim to make sure riders are still getting where they need to go, SEPTA spokesperson Andrew Busch said. CCT has been communicated as “a priority to get restored,” Kelly said.
“In no way are we trying to discriminate against riders with disabilities and others who use CCT,” Busch said. “We’re in a situation where we have to make these temporary workarounds to keep the system moving.”
Real-time data for riders — meaning the “next-to-arrive” feature on its app and automated announcements at stations — were restored late Monday afternoon.
Valerie Johnson, a SEPTA rider, called the prolonged period without information “an annoyance.” Riders have been posing questions about the app to SEPTA’s social media account.
“The app was not always a thing,” said Johnson, 33. “So we used to fly blind all the time and got used to not flying blind, and now we’re back to flying blind again.”
It’s not SEPTA’s first run-in with public-facing tech problems. Last year, cybertheft prompted SEPTA to shutter an online store that sold tickets and merchandise. A slow rollout of the SEPTA Key card has been subject to much criticism.
“The things that the public talks about with us are the same things that many employees talk about,” one SAM employee said, “and that can be not timely communication of problems, not timely communication of solutions to problems.”
Employees who spoke with The Inquirer describe SEPTA as an archaic institution, slow to adapt to innovation.
“The authority is this like, lumbering, gasping, dinosaur, and if people don’t wake up and pay attention, there’s not going to be an authority in 18 months,” an employee said, referring to SEPTA’s funding challenges.
SEPTA earns about $481 million in passenger revenue, and the loss of riders during the pandemic has been costly. SEPTA received about $644 million in federal CARES Act funding, but General Manager Leslie Richards has joined leaders of other large transit agencies to lobby for billions more in federal support.
Officials plan for an “after-action” to better coordinate a response to any future cyberattacks.
“Definitely, we’ll come out of this with lessons learned,” Busch said. “We’re always preparing for kind of worst-case scenarios, but we’ll come out of this certainly better prepared if something like this comes along in the future.”