Cyber Incident Victim: Keolis Commuter Services
Date:
Oct 2020
Location:
United States of America
Summary
A ransomware attack targeted the operator of the MBTA Commuter Rail, prompting immediate network deactivation in the Boston area following detection by advanced threat systems. The incident did not compromise operational safety systems, passenger data, or service continuity, with no impact on broader transit infrastructure. While internal employee support measures such as credit monitoring were implemented, the company confirmed no safety-critical systems were accessed and collaborated with forensic experts to investigate. The operator maintained all contracted services throughout the event.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 10, 2020, Keolis Commuter Services, the contracted operator of the MBTA Commuter Rail system in Boston, experienced a cybersecurity incident in the early morning hours. The company identified unauthorized activity through its advanced threat detection systems, prompting immediate containment measures. Within hours of detection, Keolis deactivated its entire Boston-area network to isolate the threat and prevent further spread. The incident was later confirmed to be a ransomware attack targeting Keolis’ operational networks. Keolis emphasized that no safety-critical systems were compromised during the event, ensuring no risk to rail operations or passenger safety. The company clarified that its other global networks remained unaffected and reiterated that MBTA-owned infrastructure—including tracks, signals, and stations—was not impacted due to the separation between Keolis’ operational systems and the transit authority’s core assets.
Keolis initiated a coordinated response involving forensic experts to investigate the breach’s scope and origins. While the attack disrupted internal administrative and corporate systems, the company confirmed it did not store passenger data, limiting potential privacy risks. Impacted employees were offered credit monitoring and identity theft protection services as a precautionary measure. The incident occurred shortly after Keolis secured a four-year contract extension to operate the commuter rail through 2026, with no reported disruptions to ongoing service or long-term operational plans. Keolis maintained public assurances that the event would not affect the safety or reliability of commuter rail operations, aligning with its contractual obligations to the MBTA amidst broader state efforts to modernize the transit system.