US Department of Transportation suffers massive malware attack. Hackers infect ticket sale system

Although most attacks against websites only last a few hours, or even days, digital forensics experts mention that other times these incidents can have irreversible consequences. Such is the case of the Southeastern Pennsylvania Transportation Authority (SEPTA), which had to permanently shut down its online store (domain after a massive malware attack. Travel tickets, as well as T-shirts, mugs and other items with the SEPTA logo, could be purchased on the website.

The first hint of the attack occurred last June, when a user browsing the SEPTA website received an alert from their anti-malware tool. The user informed the public agency, which started an internal investigation.

After the website shut down, SEPTA began notifying all potentially affected users (at least 760 people) of the incident. The agency’s message, signed by spokesman Andrew Busch, reported that as a result of the infection personal data was extracted, including:

  • Users’ full names
  • Payment card numbers
  • Home addresses

Finally, the spokesperson added that the information extracted from the website was put up for sale on some dark web forums.

Screenshot of SEPTA’s website

Some reports from digital forensics specialists attribute this incident to Magecart, the dangerous hacker group dedicated to the theft of financial information stored in online shopping systems. In addition, SEPTA officials estimate that the information would have been extracted between 21 June and 16 July.

The Pennsylvania government mentions that it is not yet possible to determine the exact scope of the incident, so more affected users could receive a notification from SEPTA over the next few days. SEPTA officials claim that after detecting the infection they followed all established reporting and damage mitigation protocols to the letter, including notifying the State Department of Transportation and the Federal Bureau of Investigation (FBI).

Finally, US federal transportation authorities announced the permanent closure of the SEPTA online store. According to digital forensics specialists, it is very likely that this decision was made in order to prevent other users’ information from being compromised.

So far no further details have been revealed about the incident, although in his latest statement, the SEPTA spokesman said no additional incidents have been detected in the agency’s network. 

Although not very common, at least three hacking incidents against some public transport-related systems have recently been detected, mainly in UK cities. One such case was filed in Manchester, where digital forensics experts from the International Institute of Cyber Security (IICS) reported that a group of unidentified hackers managed to compromise the city’s public transport app. By exploiting a flaw in the QR codes generated by this application, the attackers managed to generate electronic tickets to be able to travel by subway, train, among other means of transport without paying any money.