The M.T.A.’s systems appear to have been attacked on two days in the second week of April, and the access continued at least until the intrusion was identified on April 20, the M.T.A. document shows. The hackers took advantage of a so-called “zero day,” or a previously unknown coding flaw in software for which a patch does not exist.
Hackers gained access specifically to systems used by New York City Transit — which oversees the subway and buses — and by both the Long Island Rail Road and Metro-North Railroad, according to the M.T.A. document outlining the breach. The hackers compromised three of the transit authority’s 18 computer systems, transit officials said.
But, Mr. Portnoy said, there was “no employee or customer information breached, no data loss and no changes to our vital systems.”
“Our response to the attack, coordinated and managed closely with State and Federal agencies, demonstrated that while an attack itself was not preventable, our cybersecurity defense systems stopped it from spreading through M.T.A. systems,” he added.
Once the broad intrusions that included the M.T.A. were identified in late April, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the National Security Agency and the F.B.I. issued an alert about the vulnerability.
The software company that owns Pulse Connect Secure, Ivanti, provided immediate steps to mitigate the damage and released a security update to fix the vulnerabilities. New York transit officials say they implemented the fixes within 24 hours of their release.
After receiving the warning from security officials, the M.T.A. quickly conducted the detailed forensics audit, which found malware in the authority’s Pulse Connect Secure applications, transit officials said. The malware included malicious software known as “web shells,” according to the M.T.A. document, that typically provide hackers a backdoor to remotely access — and in some cases control — certain servers over a long period of time.