Malware Attack Prompts US Transport Authority to Axe Online Store

Written by

An American transport authority has responded to a malware attack by permanently closing its online store.

The Southeastern Pennsylvania Transport Authority (SEPTA) shuttered the site Shop.SEPTA.org within an hour of discovering that the personal data of 761 customers had been stolen in a data-skimming Magecart attack. 

Hackers were able to steal shoppers' credit card numbers, names, and addresses during an online crime spree thought to have begun on June 21 and ended on July 16. The store, which sold online travel tickets along with SEPTA-branded mugs and clothing, was hosted by Amazon Web Services. 

SEPTA was alerted to the attack on July 16 by a user who received a malware warning while browsing the online store. However, the transport authority waited until September 5 to inform customers affected by the attack by letter that a breach had taken place. 

Asked what had caused the two-month time lag, SEPTA spokesperson Andrew Busch told Infosecurity Magazine: "Customers were notified as soon as SEPTA was confident that it had gathered accurate information regarding the individuals who were affected. SEPTA followed proper reporting protocols as soon as the breach was discovered by notifying the FBI and the Pennsylvania Department of Transportation."

The revelation that the online store had been permanently closed in an effort to prevent any future malware attacks only came to light on September 19 when it was reported by The Philadelphia Inquirer.

Explaining SEPTA's arguably extreme approach to cybersecurity, Busch told Infosecurity Magazine: "The primary reason for shutting it down was to eliminate the potential for any additional customer information to be compromised. 

"In addition, the site was mostly used for purchases of fare products that have or are being phased out with SEPTA’s modernized fare system, the SEPTA Key, and in general it was not widely used. The SEPTA Key has a separate e-commerce site, and that site was not breached."

Busch confirmed that SEPTA has not suffered any further attacks since closing its online store, whose quiet death failed to arouse much notice. 

Describing the impact of SEPTA's decision to axe the store, Busch said: "There has not been a significant amount of customer feedback."

What’s hot on Infosecurity Magazine?