They are probably thinking of the MBTA CharlieCard[0][1], which was cracked by MIT students. The MBTA sued them to try to keep them from presenting their research at DEFCON.
That does actually make more sense, given the OP’s comment about master keys leaking. I remembered the CharlieCard thing because it was a pretty big deal at the time, and I couldn’t find anything relevant about MTA when I searched, so assumed it was a misremembering since this all happened over a decade ago. Thanks for the link! (I wonder what the outcome was of New York’s audit…)
[0] https://en.wikipedia.org/wiki/CharlieCard#Security_concerns
[1] https://archive.boston.com/business/articles/2008/03/06/t_ca...