When a cybersecurity expert aiding SEPTA in its response to an August ransomware attack went to retrieve a hard drive deemed to have “vital information” pertaining to the investigation, he discovered that someone had been there before him.
He thought perhaps a joke was being played on him and reached out to others involved in the effort, including Michael Zaleski, SEPTA director of cybersecurity. There was no hard drive to be found.
Over four months later, it’s still missing.
A SEPTA Office of Inspector General Summary Investigative Report from October obtained by The Inquirer makes no conclusion as to why it happened, or who did it. The report categorizes the incident as alleged computer theft and raises serious security concerns — so far unanswered — about basic surveillance details like who else was in the building during the time of the removal.
The case seems to have gone cold.
SEPTA has no new information or updates, said spokesperson Andrew Busch. The incident has not been referred to criminal authorities.
“We’re continuing with the course of investigating and trying to determine what happened with the hard drive,” Busch said.
Asked whether the authority is investigating whether the incident could involve someone internally, Busch said SEPTA is “considering all possibilities.”
“So that would be among them,” he said.
The authority is still grappling with the ongoing saga of a ransomware attack over the summer that involved the FBI, left employees without access to email and files, as well as riders without real-time travel information.
Most of the services have been restored. SEPTA disabled internet in the building in response to the attack, and there still isn’t WiFi or ethernet access in the building. Busch did not know when internet would be fully restored. The internet outage is not connected to the search for the missing hard drive, he said.
SEPTA has not confirmed that the August incident was a ransomware attack, but multiple sources told The Inquirer in the fall that SEPTA had suffered a ransomware attack that involved a financial exchange covered through cyber liability insurance.
SEPTA tapped Arete Advisors, an incident-response company, to help remotely. A hundred SEPTA servers and 50 workstations were found to be infected, according to the report. SEPTA IT employees were brought in to physically find and scan infected workstations on Sept. 5, when the computer eventually found with the missing hard drive was scanned and installed with data collection software to aid Arete in its efforts.
Four days later, Arete told SEPTA “there was a desktop that had valuable intelligence on it including executable batch files used to spread malware,” and as a crew went to get it from the 10th floor conference room the following day, discovered that it already had been removed.
The computer didn’t belong to a specific person. It is used for PowerPoint presentations during internal meetings, Busch said.
“No transactions took place from this hard drive, from this computer,” Busch said. “There’s no sensitive information about employees or customers on this hard drive, so we don’t feel that this has compromised SEPTA, its employees, or customers, in any way.”
The five-page inspector general report on the “hard drive that was previously scanned and identified as having vital information related to a recent malware attack” said it was “not feasible that the hard drive was removed and misplaced” by the crews involved in the recovery operation.
With its servers off-line, the authority couldn’t review door taps, or card readers to gain access within the headquarters. Johnson Controls, who oversees the system, also couldn’t access the data from the 10th floor card readers for the same reason, according to the report.
Its analog visitor book found in SEPTA’s lobby could have pointed to answers in the investigation but was determined to be incomplete, according to the report.
Entry through SEPTA’s stairwells are easy access points as well, with most doors unlocked meaning “anyone could walk between floors without using their access badge or the elevators.” There are no cameras near the room, according to the report.
Internal surveillance cameras and recording of people badging in and out was restored in early December, Busch said.
“Additional security measures aren’t something I can get into,” Busch said, “but we are confident that the building is secure.”