[BreachExchange] Security flaw may have exposed personal info on 21, 000 Utah Express Pass users

Wed Nov 8 16:08:54 EST 2017

https://www.deseretnews.com/article/900003671/security-flaw-may-have-exposed-personal-info-on-21000-utah-express-pass-users.html

A vigilant UDOT Express Pass customer discovered a glaring security
breach in the third-party website that manages pass accounts, but
state officials don't yet know if the personal information of
approximately 21,000 current and former customers has been
compromised.

That information on customers who have purchased passes for accessing
HOV lanes includes names and addresses, phone numbers, and credit card
information — including the last four digits of account numbers and
expiration dates, and even the security question and answer associated
with the account. UDOT officials indicated there are currently 16,000
active Express Pass users and 4,000-5,000 nonactive users.

Utah Department of Technology Services spokeswoman Stephanie Weteling
said the state requested the vendor, Texas-based Etan Industries, take
down the site Tuesday afternoon. The agency, which oversees contracts
with vendors, has not yet determined the extent of the flaw, how long
its been there or whose personal information, if any, has been
harvested by outsiders, she said.

"We're currently investigating to find out what happened and what has
been impacted," Weteling said. "We've requested the logs to see
exactly who accessed what as part of our investigation."

According to Tyler Fitts, a Sandy resident and IT professional who has
been using the Express Pass for about four years, getting to the
information was shockingly easy.

"Takes a basic skill level, but no more than a basic skill level, to
be able to run through and get everyone's information on there," Fitts
said. "I'm glad they took down the site while they get it figured
out."

Fitts said he was checking his pass account balance last Friday
evening and remembered he had received a notice to update his account
password since the state had switched to a new provider in September.
While working to update that password, his browser crashed. Being an
IT guy, Fitts opened a window showing the computer code, an operation
that only requires hitting F12 on most browsers, and was surprised to
find his complete personal information showing.

"I was shocked that any state government would contract with someone
who does this today," Fitts said. "It’s wreckless and incompetent for
sure."

What went wrong, and who is accountable, is something the state hopes
to ascertain in the coming days. Weteling said vendors must pass a
stringent vetting process to qualify to do business with the state.

"All of our state contracts have specific terms and conditions and
(contractors) must meet all of our security processes and guidelines,"
Weteling said. "It’s a pretty robust process."

She added that, pending the outcome of her department's investigation,
liability was shared by both the state and the vendor.

A KSL-TV staffer was able to replicate Fitts' approach to accessing
information on the Express Pass site, and randomly located Salt Lake
attorney Steven Linton. Linton said he was bothered by hearing how
easily his personal information was found.

"Seems like the state should be very careful about this, if anyone
would be," Linton said. "Charging people to be in that lane but not
keeping their information safe is worrisome.

"I hope that they figure it out and it’s not something that becomes a
problem and, that if it is a problem, that they take care of it."

Weteling pledged that the state would send out appropriate
notification to customers in the Express Pass database as soon as they
complete their investigation, though she was not able to estimate how
long that may take.

While the Express Pass is a UDOT-specific product, the transportation
agency does not manage or oversee the vendor who operates the pass
website. However, UDOT spokesman John Gleason said cybersecurity
issues are something his agency takes very seriously.

"Cybersecurity is a growing concern and the security of our Express
Pass users is a very high priority for UDOT," Gleason said. "We want
to make sure we’re taking every precaution for those who use our
system. I know DTS has their best people working on it."