MTA computer systems were hacked in April, transit officials acknowledged on Wednesday.
The New York Times first reported the breach, and it was independently confirmed by NY1.
Agency officials said the hack was part of a widespread effort affecting other government agencies and companies, reportedly by a group believed to have connections to the Chinese government.
Transit officials said there was no evidence that the breach involved transit operations.
"It was a hack that did not impact public safety, which is of the utmost importance,” said Andrew Albert, an MTA board member briefed on the hack. “The MTA is always on the case of cyber attacks."
MTA officials learned of the hack from April 20 alerts from the FBI, National Security Agency and Cybersecurity and Infrastructure Security Agency. The CISA recommended to the MTA patches and fixes within 24 hours of the notice.
Patches were applied to three of the MTA's 18 systems, according to transit officials, who declined to identify those systems.
Additionally, the MTA made 3,700 employees and contractors - or 5% of its workforce - change passwords.
In a statement, MTA Chief Technology Officer Rafail Portnoy said, "The MTA quickly and aggressively responded to this attack, bringing on Mandiant, a leading cyber security firm, whose forensic audit found no evidence operational systems were impacted, no employee or customer information breached, no data loss and no changes to our vital systems. Importantly, the MTA’s existing multi-layered security systems worked as designed, preventing spread of the attack and we continue to strengthen these comprehensive systems and remain vigilant as cyber-attacks are a growing global threat.”
The MTA hired IBM and a cybersecurity firm called Mandiant for an audit. The audit found that no evidence of accounts compromised, no breach of employee information, and no data loss or changes.
Transit officials said its security system prevented unauthorized access to other parts of the MTA's internal systems.
Alan Brill, a cyber security expert, told NY1 that the MTA was prepared, escaping the fate of other companies forced to disrupt operations from cyber attacks.
“They actively tried to mitigate the risk so that it wouldn’t spread throughout their organization and spread from wherever it entered their system, into their operating environment — the thing that makes the trains go,” Brill said. “I think that we should all be really pleased at how that worked out.”
Gov. Andrew Cuomo, who controls the MTA, declined to provide additional details at a press briefing Wednesday afternoon.
"I wanna make sure I don't do anything that would impede the investigation that the MTA is doing,” Cuomo said.