WASHINGTON — Metro could do more to protect personal information stored in or accessible through web apps like SmarTrip and other agency databases, a new Metro Office of Inspector General report found.
“Without strong security controls, WMATA’s publicly accessible web applications are vulnerable to cyberattacks and data breaches, which could have detrimental impact on WMATA’s mission, operations and critical infrastructure,” the audit said.
Inspector General Geoff Cherrington declined to release the specific details of the cybersecurity concerns, which follow a similar audit of computer security risks that he released this summer.
“WMATA’s going to implement all of the OIG recommendations. Due to the sensitivity of the audit findings, we’ll not be making this audit public,” Cherrington told a Metro Board committee Thursday.
A summary of the audit notes shows Metro has some control over sensitive information like names, addresses and credit cards, but that it may not be enough.
“[O]pportunities exist to further strengthen security over publicly accessible web applications thereby reducing the likelihood of data breaches,” the audit said.
Investigators reviewed Metro’s 17 publicly accessible websites and web applications including 24 web-based login portals and remote access systems for workers.
In 2012, Metro’s job application site was set up in a way that potentially allowed anyone with a person’s email address to get certain personal information from their job applications.
“WMATA has been a target of cyber-attacks because it maintains financial and sensitive security information,” a description of the audit noted.
Besides these concerns, the inspector general’s office is also concerned with people impersonating Metro employees online in order to get critical information or lure employees to send the agency’s money to fake accounts.
In January, the office raised “significant concerns about a targeted attempt to use fraudulent email correspondence to induce WMATA employees to wire transfer funds.”
While the phishing attempts had been going on for more than a year, it became clear that the people targeting Metro employees were using details on the Metro website and other public information to develop a list of departments, staffing, email addresses and billing information.
“The attackers then disguise themselves as actual WMATA personnel and with malicious intent, target individuals both internal and external to WMATA,” the management alert said.
Metro has been working with federal officials in an effort to identify those responsible.