Updated June 23
At the Steamship Authority’s first board meeting since a June 2 ransomware attack, general manager Robert Davis said no ransom was paid to get the ferry line’s website and reservation system back in working order.
“This incident was a criminal act,” Davis told the board and the Port Council, in what was a joint Zoom session.
Board members asked Davis for more details, particularly whether any customer information was breached.
Davis said he could not comment until the investigation is completed. In his opening remarks, Davis confirmed what The Times has been reporting all along, that the FBI is leading the investigation along with the Massachusetts State Police.
Systems have been back operating for a little more than a week, and ferry operations were only affected by minor delays, Davis said. “No scheduled trips were canceled,” Davis said.
When reporters asked Davis questions about the attack, he didn’t provide many answers. Davis declined to provide details about the restoration of the website and other SSA systems except to say staff did a laudable job utilizing backups. He declined to identify the security firm that has been assisting the ferry line, declined to acknowledge whether a ransom was even requested, and if so, what amount may have been demanded. Asked by The Times if an insurance claim has been made or will be made, Davis also declined to answer. When The Times attempted to pose a question to the SSA’s security director, SSA spokesman Sean Driscoll responded. “Mr. Falvey is not at the meeting,” Driscoll said.
When asked why Falvey wasn’t present to give a report on a security-centric issue, Davis said,
“Not all staff members attend all meetings.”
Asked by The Times if the ferry line’s Learning Management System (LMS) was compromised by the ransomware attack, Davis reaffirmed a disinclination to provide specifics.
“Again, any details regarding specific systems — until the investigation is completed — no comments in that regard,” he said.
However, when asked if eFerry ticketing was operational at SSA terminals, Davis broke from his stance. “That’s one system that’s not up and running at this point,” he said.
Davis then didn’t respond to a question as to whether any other systems the public might interface with might still be down.
Driscoll said he would provide additional information on the subject at a later time. Tuesday afternoon he told The Times that in addition to eFerry tickets, multiride cards aren’t yet restored.
Asked if other law enforcement agencies besides the FBI, Massachusetts State Police, and U.S. Coast Guard are investigating the attack, Davis said he was “not aware of any other agencies that have been called in.”
He added that he was “sure that the FBI has resources in other departments that they may be working with.”
Shortly after the public session ended, Driscoll sent out a release. “The Steamship Authority takes the security of its information technology systems seriously, and we are actively working with third-party cybersecurity forensic investigators, as well as law enforcement, to determine the full nature and scope of the event,” Davis said through the release. “As part of our analysis, we have undertaken a comprehensive review of our systems and implemented additional safeguards. These new safeguards have been implemented alongside the already robust protocols that allowed the authority to quickly recover from this incident. At this time, most of our key customer functions have been fully and safely restored. Reservations can be made or changed on our website, via phone, or at a terminal, and credit cards may now be used at all locations.”
Tuesday night, Jim Malkin, the Vineyard’s representative on the SSA board and chair of the Chilmark select board, told his fellow select board members his ability to disclose details about the attack was limited, but he took the opportunity to laud the work of SSA IT personnel.
“There’s not much we’re allowed to say under the guidance of the agencies that are involved with this thing,” Malkin said. “But the technical staff of the Steamship Authority, given the size of the budget they have, did a far better job, I believe — based on everything I know — than the technical staffs of major banks, of the credit rating agencies, of pipeline [owners] and meat processors who have IT budgets hundreds of times larger.”
Malkin also praised the work of SSA personnel who interfaced with the public over the last three weeks.
In other business, the SSA canceled a public engagement session planned for Tuesday night on designs for the Woods Hole terminal after objections were raised by board chair Kathryn Wilson. The meeting had been scheduled for earlier this month, but had to be postponed because SSA officials were preoccupied dealing with the ransomware attack.
Wilson asked if the new designs were even available to the public on the SSA’s website, and was told they were not.
No new date has been set for the session with terminal architects BIA.studio.
Updated with comments from Malkin.