Ex-DC Metro contractor logged in to sensitive system from Russia, watchdog finds

A former Washington, DC, Metro transit system contractor retained access to "critical and sensitive" Metro data from his computer in Russia after he left his job in a breach that raises broader security concerns about one of the nation's largest transit systems, according to a report released Wednesday.

The cybersecurity vulnerabilities of the Washington Metropolitan Area Transit Authority are "a cause of grave concern" that the authority's networks are "at unacceptable risk" of hacking or other forms of compromise, a report from the WMATA's inspector general concluded.

It's the latest in a series of warnings from auditors over years that a transit system that serves hundreds of thousands of people each day in the nation's capital could be susceptible to sabotage or data theft.

The report comes as the WMATA continues to embrace digital technologies that, if unsecured, could open up further avenues for hackers. In 2019, US lawmakers blocked WMATA from using Chinese made rail cars out of concerns that they presented cybersecurity risks.

In response to the new inspector general report, WMATA said it had made "measurable improvements" to its cybersecurity in recent years. WMATA also said Microsoft, which it hired to investigate the remote login from Russia, found no sign of ongoing malicious cyber activity on the network.

The Washington Post first reported on the inspector general's findings.

Officials from the inspector general's office have in recent weeks raised their concerns about the WMATA's cybersecurity practices with congressional committees and multiple federal agencies, a person familiar with the matter told CNN.