After a more than weeklong outage in the state’s vehicle inspection system, service stations on Wednesday finally started receiving a software fix that is expected to solve the malware attack that hamstrung the testing program in Massachusetts and seven other states.
The contractor targeted by the attack, Applus Technologies, sent the software updates on flash drives to more than 1,700 shops in Massachusetts and walked operators through a reboot intended to protect the machines.
The inspection system has been offline since the attack on Applus on March 30, and is unlikely to be back online this week, according to the Massachusetts Registry of Motor Vehicles.
Applus has also told service station owners that it cannot provide a timetable for restart. “We do know it will not be a matter of hours or days,” according to a document on its website dated Tuesday. Applus did not respond to requests for comment.
The software updates still represent a major milestone in the effort to repair the damage caused by the breach, which may have enabled attackers to steal bank account data and other sensitive information of individual service stations. Applus has said it “it is likely that there has been no breach of personal or confidential client information,” but nonetheless has retained a “computer forensic investigator to determine the scope of the malware attack.”
The attack has also delayed hundreds if not thousands of vehicle inspections, leaving those cars with expired stickers and depriving stations of income during the period. Massachusetts officials have adopted a one-month grace period for vehicles with March inspection stickers and encouraged law enforcement to not cite drivers with expired stickers from that month. Vehicles purchased after March 23 also have until April 30 to get an inspection.
“It’s an annoyance and aggravation for the customers,” said Kelly DiBacco, co-owner of DiBacco’s Service Center in Beverly. “We do it as a convenience to our customers so it’s a pain. People are calling constantly — is it up and running yet ? People get nervous, they don’t want to get pulled over and you know all of those kinds of things.”
DiBacco has continued to pay the one employee hired solely to handle inspections full time even though there is no work for him. Overall, the loss of inspection fees, wages, and equipment rental has cost the business $6,000, DiBacco said.
Applus has said it will consider financial compensation to service stations.
The malware attack came just a few weeks after the Baker administration in late February authorized an extension of the company’s contract for another three years. It had been set to expire in 2022. However, state officials said Wednesday that they will not finalize the extension until Applus fixes the system.
“The RMV and DEP have informed Applus that its prompt and satisfactory resolution of the outage is a prerequisite to the Commonwealth proceeding with any extension, and the agencies will ensure that Applus has proper preventative and mitigation measures in place,” Judith Riley, a spokeswoman for the RMV, said in a statement.
State officials also said they have notified Applus it is violating the contract, which calls for a $5,000 a day penalty for high-level software-related defects. The terms of the contract also allow Massachusetts to terminate Applus for cause, which could carry a penalty of up to $3 million.
Applus Technologies has been paid $22 million since fiscal 2018, according to state records. While service station owners receive the bulk of the $35 inspection fee motorists pay, Applus receives $1.36 for each vehicle, and the state receives $10.14.
This is not Applus’s first snafu in Massachusetts. In 2000, under its previous name Agbar Technologies, the company won the state contract to provide vehicle inspection services. But a 2003 state audit found that the company’s testing systems often gave passing grades to cars that polluted too much, while forcing consumers to seek unnecessary repairs for clean-running cars.
In 2008, the state awarded the vehicle inspection contract to a rival company, Parsons. Applus subsequently won the bidding in 2016 for a new contract with a five-year term. But when the company returned to Massachusetts, hundreds of service stations reported a variety of troubles operating the technology. State officials later acknowledged they had failed to adequately prepare inspectors for the change.
In Georgia, one of several other states where Applus operates the inspection program, officials are “reviewing the contract and evaluating our options,” but had no further comment, said Kevin Chambers, a spokesman for the state’s Department of Natural Resources.
Applus has told station owners the software repair is necessary to insure their machines were not infected by the malware attack.
The document posted on the company’s website for the Massachusetts system indicates that station owners are concerned their financial information may have been exposed. Applus told operators that it does not know if any of their information was compromised and recommended they “monitor your financial accounts for any unauthorized activity and alert authorities and your bank if you see anything unusual.”
Bob Rudis, chief data scientist for Boston data security company Rapid7, said it probably was a type of malware known as “ransomware,” in which hackers lock data stored on compromised computers, then demand money, often payable in bitcoin, in exchange for releasing it. If payment isn’t made, the company or government organization could lose its stored data.
Ransomware attacks reported to the FBI increased by 21 percent last year. Analysts at Akamai and other data security firms say the actual number of such attacks is far higher, because so many go unreported.
Rudis said a company such as Applus, with thousands of users in eight states, makes a prime target. “They are more likely to pay, due to the spillover effect downtime will have on paying customers, such as all the inspection stations in the affected states,” he said.
Whether or not the hack involved ransomware, the attackers may have left behind other toxic software that could, for example, intercept sensitive information about the service stations where they’re installed. That means victims must also purge every system that may have been compromised.
“The safest course of action for any organization that suffers such an attack to do is bleach everything and rebuild from scratch,” said Rudis. “This is a super costly endeavor for many organizations but it is the only real way to ensure the attackers have been fully removed from the environment.”
The frustration for station owners goes beyond the lost business and laborious reboot of their systems. Bo Eldredge of Route 134 Auto Care in Dennis typically does about about 500 inspections a month.
“Right now we have a call list of about 60 people that we have to call once we’re back up and running,” Eldredge said, adding the shutdown is “pretty significant considering that the inspections also bring on other work for repairs.”