WASHINGTON — A report from the Office of Inspector General (OIG) claims that Metro officials at all levels fail to follow the agency's own data handling policies, which leaves Metro blind to the transfer of critical and sensitive data to devices outside of the agency's control.
The report, which was released to the public Wednesday, is based on an ongoing cyber investigation that began after a data security leak in early January.
The 14-page report starts by saying evidence has surfaced showing officials within the Washington Metropolitan Area Transit Authority (WMATA) failed to follow the agency's own data handling policies and procedures as well as other policies and procedures establishing minimum levels of protection for handling and transmitting various types of data collected by WMATA.
Additionally, the report claims WMATA "lacks visibility" into its remote user activity, leaving it blind to the transfer of critical and sensitive data to devices outside of WMATA's control. This information includes network passwords, emergency response procedures, disaster recovery measures, vulnerability assessments, application/server diagrams and other critical data.
The report also claims WMATA has failed to implement at least 51 IT and cyber security recommendations intended to protect the agency's data, networks and assets.
"Some of these unimplemented recommendations date back to 2019," the report reads. "At least three commissioned outside cybersecurity-related reports as well as OIG and internal audits of WMATA's cybersecurity vulnerabilities have highlighted how, for years, WMATA has failed in its Information Technology (IT) responsibilities by not implementing basic IT policy changes and an IT governance framework focused on protecting WMATA's critical/sensitive data, networks and assets."
OIG says this long-standing failure has likely limited the agency's ability to mitigate the weak areas where WMATA is vulnerable.
In January, OIG was alerted by a WMATA cyber security group after it had noticed abnormal network activity originating in Russia. Investigators say the credentials of a contractor who no longer worked for WMATA had been used to access sensitive data from Russia.
While the contractor no longer worked for WMATA, his supervisor had allowed the contractor to retain his high-level administrative access to WMATA systems and networks, hoping the contract would be renewed.
Through the OIG investigation, officials learned the former contractor's version of events was not accurate. The report claims the computer in Russia was turned on at the direction of the former contractor, who remotely accessed the computer.
"Since the former contractor’s high-level administrative access had not been revoked, he was able to remotely access his personal computer in Russia to log into WMATA systems containing critical and sensitive WMATA data," the report reads.
The report does not name the former contractor but does say that they were hired through a U.S.-based company to work on sensitive WMATA applications and systems, including the agency's SmarTrip application, which is used by customers to pay for fares at all Metrorail stations.
The report lists three significant findings in regard to the January breach:
- There was no concrete indication that the contents of the OneDrive were synchronized to the device in Russia.
- No indications of persistence or ongoing malicious activity were observed.
- The Microsoft team identified several opportunities to improve the cyber-resiliency of the Authority’s IT network environment.
WATCH NEXT: Inside DC Metro's yellow line repairs