A former Washington, DC, Metro transit system contractor retained access to "critical and sensitive" Metro data from his computer in Russia after he left his job in a breach that raises broader security concerns about one of the nation's largest transit systems, according to a report released Wednesday.
The cybersecurity vulnerabilities of the Washington Metropolitan Area Transit Authority are "a cause of grave concern" that the authority's networks are "at unacceptable risk" of hacking or other forms of compromise, a report from the WMATA's inspector general concluded.
It's the latest in a series of warnings from auditors over years that a transit system that serves hundreds of thousands of people each day in the nation's capital could be susceptible to sabotage or data theft.
The report comes as the WMATA continues to embrace digital technologies that, if unsecured, could open up further avenues for hackers. In 2019, US lawmakers blocked WMATA from using Chinese made rail cars out of concerns that they presented cybersecurity risks.
In response to the new inspector general report, WMATA said it had made "measurable improvements" to its cybersecurity in recent years. WMATA also said Microsoft, which it hired to investigate the remote login from Russia, found no sign of ongoing malicious cyber activity on the network.
The Washington Post first reported on the inspector general's findings.
Officials from the inspector general's office have in recent weeks raised their concerns about the WMATA's cybersecurity practices with congressional committees and multiple federal agencies, a person familiar with the matter told CNN.
The top security incident flagged in the report came in January, when WMATA's cybersecurity team found "abnormal" activity on the transit authority's network that they traced to Russia. There, an ex-contractor was still accessing sensitive data on the network, according to the inspector general report.
WMATA hired the contractor through a US-based firm to work on sensitive applications, including the app that customers used to pay for trips. The contractor's supervisor allowed the Russia-based worker to retain the high-level access to WMATA networks out of hope that the contract would be renewed, investigators found.
In a statement to CNN on Wednesday, WMATA disputed the characterization of the security incident as a 'breach," and said that it "immediately blocked and cut off the contractor's access to WMATA's network" after discovering the log in from Russia. WMATA did not respond when CNN asked whether any employees had faced disciplinary actions over the security incident.
The inspector general report did not identify the US-based company working with WMATA that had outsourced its IT work to Russia. That practice is unusual at a time when many Western tech companies have left Russia over the Kremlin's war on Ukraine.
The inspector general's office said it wasn't done investigating WMATA's cybersecurity practices. The watchdog plans to review how WMATA handles background investigations after discovering that the transit authority outsources those investigations to contractors.