A former contractor for the Washington Metropolitan Area Transit Authority (WMATA) was able to remotely access sensitive WMATA data from a computer in Russia because his supervisor failed to revoke his high-level administrative access, a new watchdog memo says.

A memo released Wednesday by the WMATA Office of Inspector General says the office opened a cyber investigation in early 2023 when it was alerted that WMATA’s cyber group had detected abnormal network activity originating in Russia in January. 

The agency found that the credential of a contractor no longer working for the agency had been used in Russia to access a sensitive directory. The former contractor’s supervisor had allowed the man to retain his access to WMATA systems and networks in hopes that his contract would be renewed, the report said.

“The computer in Russia was turned on at the direction of the former contractor who remotely accessed his computer in Russia,” the report said. “Since the former contractor’s high-level administrative access had not been revoked, he was able to remotely access his personal computer in Russia to log into WMATA systems containing critical and sensitive WMATA data.” 

WMATA hired the former contractor through a U.S.-based company. The memo doesn’t say whether the individual is a Russian national, but it warned of the contractor’s access to sensitive data. It also noted that the contractor worked on the SmarTrip app, which is used by riders to pay for their fares.   

The inspector general’s office also warned that Metro’s security failures leave the Metrorail system vulnerable to threats, since it carries about 262,000 people — including some of the world’s most powerful people — every day. 

It raised concern about a contract signed by WMATA in 2020 for recruiting with a company whose staff operated outside the U.S. It was awarded without cybersecurity provisions or “an assessment of how WMATA’s sensitive data would be accessed or protected.” 

The agency’s cybersecurity team prepared a memo outlining all of the risks the office would face in executing the contract, but was apparently overruled. The inspector general “continues to assess how these employees are connecting to WMATA data systems from outside the United States, as it does not appear they have ever been issued WMATA owned devices.” 

And the inspector general also identified a “disconnect” between WMATA IT and cybersecurity staff that it says has endangered its cybersecurity.

“The disconnect is so large that it has frustrated the cyber team, caused delays in implementation of important cybersecurity changes and threatens WMATA’s ability to protect its critical/sensitive data, networks, and assets,” according to the report. Some of the IT team belongs to a labor union, the report notes, which has declined to put into place some of the changes because of its collective bargaining agreement. 

The inspector general has for years informed WMATA of its vulnerability to security threats and noted Metro failed to act on 51 cybersecurity-related recommendations from oversight agencies, some of which were issued as early as 2019. 

The IG pointed out that the agency’s own internal audit and compliance group had recommended that all laptops used by WMATA have “full disk encryption installed” to protect critical and sensitive information.

“To date this recommendation remains unimplemented and WMATA’s mobile devices are issued and deployed without encryption,” the report says.   

“Given the current threat environment, the report stated that it can be assumed vulnerabilities do or will exist within WMATA’s systems,” the inspector general said. “These vulnerabilities, if left unaddressed and subsequently become exploited by a threat, could render WMATA susceptible to unacceptable outcomes.” 

In a response to the inspector general, WMATA acknowledged it has room to grow, but defended its handling of cybersecurity, arguing that the inspector general’s report failed to recognize improvements the IT department has made. WMATA chief information officer Torri Martin and chief audit and risk officer Elizabeth Sullivan also said there was no “concrete indication” that the contents of the OneDrive were downloaded in Russia.