Cyber Incident Victim: Texas Department of Transportation
Date:
May 2020
Location:
United States of America
Summary
A ransomware attack targeted the Texas Department of Transportation, resulting in unauthorized network access and operational disruptions. The agency detected the incident, isolated affected systems to contain the threat, and worked to maintain critical services while resolving technical issues. The FBI joined the investigation, though no specifics regarding ransom demands, data theft, or encryption were disclosed. This followed a separate ransomware incident affecting the state’s court system days earlier, though no connection between the two attacks was confirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 14, 2020, the Texas Department of Transportation (TxDOT) detected unauthorized access to its network, which was subsequently identified as a ransomware incident. The agency took immediate containment measures, isolating affected computers from the network to prevent further spread of the malware and blocking additional unauthorized access attempts. TxDOT publicly confirmed the attack through a social media announcement, though specifics regarding the ransomware variant, the exact number of compromised systems, and whether data was encrypted or exfiltrated remained undisclosed. Technical disruptions impacted certain agency operations, with TxDOT’s website displaying notices about unavailable features due to ongoing "technical difficulties." Executive Director James Bass stated that efforts were prioritized to maintain critical transportation functions despite operational interruptions, though the nature of these disrupted services was not detailed. The agency engaged the Federal Bureau of Investigation (FBI) to assist with the investigation, following standard protocol for ransomware incidents affecting government entities.
This attack occurred less than a week after a separate ransomware incident targeting Texas’s judicial infrastructure on May 8, 2020, which forced the Office of Court Administration to take servers offline to contain the malware. Neither TxDOT nor judicial authorities confirmed any connection between the two attacks, and neither entity disclosed whether ransom demands were issued in either case. The May 14 intrusion aligned with common ransomware attack patterns, as threat actors often target weekends or evenings—such as the prior court system breach occurring on a Friday night—to exploit reduced staffing. TxDOT’s responsibilities included managing statewide road, rail, and air transportation infrastructure, including highways and traffic cameras, though the precise impact on these systems was not specified. The incident echoed a broader trend of ransomware targeting Texas government entities, including a coordinated August 2019 attack that affected 22 local governments and included a $2.5 million ransom demand, though no parallels beyond the attack vector were drawn to the 2020 events.