When the Steamship Authority suffered a ransomware cyberattack on June 2, 2021, operations were disrupted for a week, customers were unable to make reservations online or over the phone, and staff were forced to use pen and paper at ticket booths and only accept cash.
The ferry line system was gradually restored, with SSA announcing it was fully restored on June 30, 2021. No ransom And the customer No personal information has been leaked.
Three years on, the incident remains unsolved, and the ferry company has been accused of poor cyber defenses.
in Audit Report In a report issued Feb. 5, the Massachusetts Office of the Auditor concluded that the SSA had engaged in “undocumented cybersecurity awareness training practices.”
The audit found that 662 SSA employees and 114 new recruits were required to take cyber defense training courses in 2020 and 2021. However, more than 70 percent of the regular employees and more than half of the new recruits did not complete the course within a year.
According to the report, in November 2019, the SSA began requiring employees to take online cybersecurity awareness courses on electronic communications, email, phishing and protecting personal information.
However, the SSA failed to ensure employees did so, and the ferry service was found to have lacked a “formally documented cybersecurity awareness program that included knowledge checks, monitoring and updating as necessary.”
Some employees did not have access to computers to complete their training, according to the report.
The committee recommended that SSA follow the Massachusetts Department of Technology Services and Security's standards for information security risk management, including giving employees 30 days to complete the course instead of a year.
It warned that if the SSA does not tighten its training protocols, the risk of cyber attacks could increase, leading to “financial and/or reputational loss.”
SSA spokesman Sean Driscoll said the ferry companies had already updated their cybersecurity training when the audit results were released, and the agency has distributed more laptops to offices and ships for training, but did not provide details.
The authorities also 2021 AttacksLast month, the FBI denied a Freedom of Information Act request from The New York Times for records containing its analysis and conclusions of the investigation.
The department said in its letter that the investigation is still ongoing and “disclosure of information could well prejudice the enforcement proceedings.”
The Cybersecurity and Infrastructure Security Agency defines ransomware as “a type of malware designed to encrypt files on a device, rendering them and/or systems that depend on them unavailable. Malicious actors then demand a ransom in exchange for decryption.”
Senator Edward Markey (D-Mass.), considered the telecommunications and technology expert in Congress, initially blamed Moscow for the cyberattack.
“Nobody imagined that Russia would attack the Steamship Authority,” he said at a 2021 press conference. I backtracked.Authorities have not released any suspects.
Markey and Rep. Bill Keating (D-Bourne) did not respond to requests for comment this week. An aide to Sen. Elizabeth Warren (D-Mass.) declined to comment.
Doug Domin, senior special agent in charge of the FBI's Boston office, told The Times that investigating cybercrimes like ransomware can take years.
According to the FBI's Internet Crime Complaint Center, the bureau received 9,915 cybercrime complaints in Massachusetts in 2023, resulting in losses of $235.89 million. Cybercrime includes data breaches, phishing, credit card fraud, and more.
While only 11 states have high numbers of complaints, Domin said cybercrime is definitely underreported. “What we're seeing is just a small percentage of the total victims out there,” he said.
Domin said the FBI's Boston office receives three to four ransomware complaints each week from victims in Massachusetts, Rhode Island, New Hampshire and Maine.
According to FBI statistics, Massachusetts residents were victims of 77 ransomware attacks in 2023 but no one paid.
Cybercriminals are exploiting vulnerabilities in cellphones and other devices and using social media and other online networks to gather information, Domin said. Martha's Vineyard is known worldwide for its wealth, making it a particularly attractive target.
“Martha's Vineyard may be rural geographically, but it may not be so rural online,” Domin says.
Last month, the SSA Board of Directors A long overdue new websitethere are also cybersecurity concerns.
“This never stops,” Driscoll said, “It's a constant race against bad actors.”
Domin said anyone who has been the target of a cyberattack that includes a ransomware demand should contact the FBI. https://www.cisa.gov/stopransomware For more resources, please click here.