Cyber Incident Victim: Cape May-Lewes Ferry
Date:
Sep 2013
Location:
United States of America
Summary
A cybersecurity breach compromised payment card processing systems at a ferry service's food, beverage, and retail sales locations over several months, potentially exposing names, card numbers, and expiration dates. Approximately 60,000 transactions were impacted, though the reservation system handling ticket purchases remained unaffected. The operator contained the incident, restored secure card processing, and notified individuals at risk while offering complimentary identity protection services. An investigation continues, with no confirmation that specific cardholder data was stolen.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Cape May-Lewes Ferry payment card breach involved unauthorized access to card processing systems supporting food, beverage, and retail sales across its terminals and vessels. The Delaware River and Bay Authority, which operates the ferry service, was alerted to a potential security compromise on July 30, 2014. Investigators determined that attackers infiltrated systems handling transactions occurring between September 20, 2013, and August 7, 2014, potentially exposing approximately 60,000 credit and debit card transactions. The compromised data included cardholder names, payment card numbers, and expiration dates. Notably, the reservation system used for online bookings and terminal point-of-sale locations processing vehicle or passenger tickets remained unaffected. Attackers specifically targeted point-of-sale environments at concession stands and retail outlets, suggesting a focus on harvesting payment card data from in-person purchases during ferry operations. The breach window spanned nearly eleven months before detection, indicating prolonged unauthorized access to transactional systems.
Upon identifying the intrusion, authorities contained the compromise and restored the security of payment processing systems by August 2014. An ongoing forensic investigation sought to determine the intrusion methodology and whether attackers exfiltrated specific cardholder data, though officials publicly stated they had "not determined that any specific cardholder's credit and debit card data was stolen by the intruder." The Delaware River and Bay Authority implemented undisclosed enhancements to system security protocols following containment. Beginning October 24, 2014, the operator notified all potentially affected individuals via website announcements and direct communication, providing a detailed FAQ section and offering a complimentary year of identity protection services. The public disclosure confirmed the breach’s isolation to auxiliary sales systems while maintaining operational continuity for core ferry reservation and ticketing functions.