SALT LAKE CITY — A vigilant UDOT Express Pass customer discovered a glaring security breach in the third-party website that manages pass accounts, but state officials don't yet know if the personal information of approximately 21,000 current and former customers has been compromised.
That information on customers who have purchased passes for accessing HOV lanes includes names and addresses, phone numbers, and credit card information — including the last four digits of account numbers and expiration dates, and even the security question and answer associated with the account. UDOT officials indicated there are currently 16,000 active Express Pass users and 4,000-5,000 nonactive users.
Utah Department of Technology Services spokeswoman Stephanie Weteling said the state requested the vendor, Texas-based Etan Industries, take down the site Tuesday afternoon. The agency, which oversees contracts with vendors, has not yet determined the extent of the flaw, how long its been there or whose personal information, if any, has been harvested by outsiders, she said.
"We're currently investigating to find out what happened and what has been impacted," Weteling said. "We've requested the logs to see exactly who accessed what as part of our investigation."
According to Tyler Fitts, a Sandy resident and IT professional who has been using the Express Pass for about four years, getting to the information was shockingly easy.
"Takes a basic skill level, but no more than a basic skill level, to be able to run through and get everyone's information on there," Fitts said. "I'm glad they took down the site while they get it figured out."
Fitts said he was checking his pass account balance last Friday evening and remembered he had received a notice to update his account password since the state had switched to a new provider in September. While working to update that password, his browser crashed. Being an IT guy, Fitts opened a window showing the computer code, an operation that only requires hitting F12 on most browsers, and was surprised to find his complete personal information showing.
"I was shocked that any state government would contract with someone who does this today," Fitts said. "It’s wreckless and incompetent for sure."
What went wrong, and who is accountable, is something the state hopes to ascertain in the coming days. Weteling said vendors must pass a stringent vetting process to qualify to do business with the state.
"All of our state contracts have specific terms and conditions and (contractors) must meet all of our security processes and guidelines," Weteling said. "It’s a pretty robust process."
She added that, pending the outcome of her department's investigation, liability was shared by both the state and the vendor.
A KSL-TV staffer was able to replicate Fitts' approach to accessing information on the Express Pass site, and randomly located Salt Lake attorney Steven Linton. Linton said he was bothered by hearing how easily his personal information was found.
"Seems like the state should be very careful about this, if anyone would be," Linton said. "Charging people to be in that lane but not keeping their information safe is worrisome.
"I hope that they figure it out and it’s not something that becomes a problem and, that if it is a problem, that they take care of it."
Weteling pledged that the state would send out appropriate notification to customers in the Express Pass database as soon as they complete their investigation, though she was not able to estimate how long that may take.
While the Express Pass is a UDOT-specific product, the transportation agency does not manage or oversee the vendor who operates the pass website. However, UDOT spokesman John Gleason said cybersecurity issues are something his agency takes very seriously.
"Cybersecurity is a growing concern and the security of our Express Pass users is a very high priority for UDOT," Gleason said. "We want to make sure we’re taking every precaution for those who use our system. I know DTS has their best people working on it."