Metro website security breach made personal data accessible to public

Photo: Flickr/quasireversible

Metro officials say that they're working diligently to fix a security breach on their website that potentially allowed a person to access the personal information of anyone who has applied for a job with WMATA.

That data could be accessed by anyone who had the email address of a Metro applicant and was willing to do a little bit of clicking through's Careers section.

The issue, which was brought to light by a caller to the ABC 7 newsroom, allowed people to quickly access the full profiles of job applicants, including resumes, addresses, phone numbers, references and several other pieces of data.

7 On Your Side verified the claims by entering the email address of a Metro applicant into the "Refer A Friend" feature on the site. We were then able to access profiles of at least three people, including the viewer who contacted us and a current Metro employee.

"This is a pretty critical issue," Jack Mannino, who runs a Gainesville-based cybersecurity company, said. "Someone could take this in 20 or 30 minutes and pull all the information out of the system for everybody that potentially put anything in there."

ABC 7 immediately notified WMATA officials of the problem, and in a statement, they said that they immediately removed the Refer A Friend feature from the website, which had been there for about two months. They added that the error did not allow for the release of sensitive personal information.

The viewer who tipped us off to the glitch said that he tried on numerous occasions to alert Metro about the problem, but got no response.

Metro has not answered repeated questions about the number of applicant profiles stored on their website. WMATA spokeswoman Caroline Lukas said in an email the maximum number of actual Metro employees who could have personally been affected is 13.

Here's the full Metro statement:

Upon being notified of the condition, we immediately removed the "refer a friend" feature from our website and will work with the software vendor to make appropriate fixes before redeploying it. It is important to note that this error required knowledge of an applicant’s email address, and did not allow for the release of sensitive personal information, such as employment records or social security numbers. The "refer a friend" feature had only been on our website for about two months. The FY12 approved budget authorized 11,319 positions.