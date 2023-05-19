Comment on this story Comment Gift Article Share

Transit agencies are particularly vulnerable to cyberattacks, as D.C.’s apparent breach shows

A computer in Russia was used to breach the networks of D.C.’s transit agency this year, according to a watchdog report released this week which also found the agency had significant cybersecurity vulnerabilities left unaddressed.

The breach of the Washington Metropolitan Area Transit Authority (WMATA) was the latest cyber incident for transit in major cities, and showcased the potential for hackers to create havoc in the public transportation sector.

In the case of the D.C. agency also known as Metro, a former contractor “was able to remotely access his personal computer in Russia to log into WMATA systems containing critical and sensitive WMATA data,” according to Wednesday’s inspector general report. But investigators said the cybersecurity deficiencies at the agency could threaten train safety.

“At risk is the nation’s third-largest transit system, responsible for transporting more than 600,000 people a day around the nation’s capital,” my colleagues Justin George and Ian Duncan wrote. “As Metro increasingly relies on technology — launching a mobile fare card and app during the pandemic while aiming to switch to self-piloting trains this year — investigators said the need for strengthened cybersecurity protections will only rise.”

At WMATA

Dating back to 2019, WMATA has not taken action on more than 50 cybersecurity recommendations from oversight agencies, the report said.

Among the cybersecurity issues were vulnerabilities to some of the trains themselves, with an outside contractor in 2019 concluding that the risk was “critical.”

Another cybersecurity issue, according to the inspector general, is that WMATA has had Russia-based contract workers. One of them accessed systems after being barred from working with WMATA.

As for WMATA’s response, “Metro confirmed the inspector general’s account but disputed its description of the incident as a breach, saying in a statement that documents accessed were related to the former contractor’s work,” Justin and Ian wrote.

Metro General Manager Randy Clarke said Metro reported the unauthorized login to the Cybersecurity and Infrastructure Security Agency (CISA), which he said “closed the case without comment.” Officials said that CISA and Microsoft, which makes products that Metro relies on, “did not alert Metro of major cybersecurity problems after reviews.”

“Safety and security is our core value, and we will continue to prioritize improvements in this area,” Clarke said in a statement. He also acknowledged that the agency is remediating deficiencies.

An accounting

Metro isn’t alone among major-city transit agencies suffering cyber incidents.

Transit systems are particularly vulnerable to cyberattacks, Chester Wisniewski, principal research scientist at Sophos, told Matt Kapko of Cybersecurity Dive this year.

“They have the worst security by far generally,” Wisniewski said. “It’s run on tax money and it’s run as a bureaucracy, and their mission is to deliver transit.”

What policymakers are doing

Under the Biden administration, the Transportation Security Agency has imposed cybersecurity mandates on high-risk railroads and rail transit systems. When officials first announced that they were planning rules, they said that rules such as requiring reporting of cyber incidents to CISA would affect Amtrak “as well as large subway systems including New York’s and Washington’s,” as my colleague Ellen Nakashima reported.

“There is no better example of how the cybersecurity threat can impact our lives than in the transportation sector and how people commute, see one another, engage with one another,” Homeland Security Secretary Alejandro Mayorkas said at a cybersecurity conference in 2021.

Justin and Ian also spoke to the offices of lawmakers who said they’d be paying close attention to what WMATA does next.

“We are alarmed by the Inspector General’s findings and will be further examining this issue to ensure any vulnerabilities in [Metro’s] cybersecurity operations are addressed in order to protect sensitive data and networks,” Jessica Collins, a spokeswoman for the Republican-led House Oversight Committee, said in a statement.

Microsoft highlights service that lets people use residential IP addresses to mask hacks

Hackers are increasingly using platforms like BulletProftLink to send to help them create malicious email campaigns and mask their location by purchasing IP addresses that match victims’ locations, according to a new report out this morning from Microsoft Threat Intelligence. That enables them to more easily carry out business email compromise (BEC) attacks, which trick company employees into paying fake invoices.

Using the residential IP addresses “is helping criminals further monetize Cybercrime-as-a-Service (CaaS) and has caught federal law enforcement’s attention because it allows cybercriminals to evade ‘impossible travel’ alerts used to identify and block anomalous login attempts and other suspicious activity,” the analysis says.

A snapshot of BEC phishing emails between January and April of this year shows that about 62 percent of the attacks were attempts to lure victims into doing things, while nearly 15 percent were related to payroll systems, according to the report.

Antiabortion group used mobile phone data for targeted ads to Planned Parenthood visitors

Antiabortion group Veritas Society used cellphone location data to deliver antiabortion ads to some Planned Parenthood clinic visitors, Byron Tau and Patience Haggin report for the Wall Street Journal.

The nonprofit established by Wisconsin Right to Life “was using precise geolocation data to target those ads from as early as November 2019 through late last year, according to a Veritas Society website, several former employees of an advertising-technology company it used to target the ads, and other people familiar with the matter,” they write.

The group used geofencing, virtual perimeters used to sweep up cellphone data within a given location, to gain the IDs from devices of people entering the clinics and used that info to target those devices with antiabortion ads on social media, including Facebook, Instagram and Snapchat.

“All three social networks said the ads violated their policies and said future such campaigns would be rejected,” Tau and Haggin write.

Officers of Veritas Society and Wisconsin Right to Life didn’t respond to the Wall Street Journal’s requests for comment.

Some states have taken notice of the potential privacy implications associated with the issue. Washington Gov. Jay Inslee (D) last month signed a bill to create new protections for reproductive health data. It bars the use of geofences to send unsolicited messaging to people in health facilities.

FTC proposes rules to heighten scrutiny against digital health app data sharing

The Federal Trade Commission on Thursday issued proposed changes to its Health Breach Notification Rule (HBNR) to clarify the rule’s scope, Heather Landi reports for Fierce Healthcare.

“The proposed rule makes it clear that health-related apps and trackers will face enforcement action and potential penalties if they do not alert consumers when their health data is disclosed without their permission,” Landi writes.

The agency’s HBNR dates back to 2009. “Since the rule’s issuance, health apps and other direct-to-consumer health technologies, such as fitness trackers, have become commonplace,” an agency release said.

The proposals would expand the rule’s definition to include health apps and others not covered by the Health Insurance Portability and Accountability Act (HIPAA).

It would also clarify the definition of a “breach of security” to include “an unauthorized acquisition of identifiable health information” that occurs from a data breach.

Easy Healthcare, which owns fertility app Premom, settled with the FTC and three attorneys general for $200,000 over allegations that it shared sensitive user data with two China-based companies without consent, our colleague Tatum Hunter reported this week.

