Utah drivers who signed up to pay freeway express-lane tolls electronically may be at risk for theft of their personal data.
The state on Tuesday shut down the Express Pass website that drivers use to access and add money to their accounts after one user found he “could obtain information not only on his account, but also others” and warned officials, said John Gleason, spokesman for the Utah Department of Transportation.
That website is operated by a third-party vendor, Etan Industries, said Stephanie Weteling, spokeswoman for the Utah Department of Technology Services.
“When we were notified there was a vulnerability, we took the website offline. It is still currently offline,” she said Wednesday.
She said the contractor has been working to fix the security problems.
“When they are finished with that, we will look at everything and make sure it looks secure — and we will get that back up online as soon as we’re fully confident that the website has been secured,” she said.
Weteling said the state has requested logs from the website “so that we can see who accessed what.” She said the state so far is unsure if personal data was accessed by others and, if so, how widespread a breach may be. “We’re looking into it.”
She added, “The information that would have been available to anyone is the name, the address, the email address, the last four digits of a credit card number, and the security questions and answers on the account.”
While that may not be the most sensitive of all information, Gleason said, “That’s not acceptable. Cyber security is a growing concern and we need to do everything within our power to protect the security of everyone who uses our websites.”
It could affect up to 21,000 people. Gleason said Express Pass has 16,000 active accounts now for transponders to pay express-lane tolls on Interstate 15, and another 4,000 to 5,000 expired accounts that could still have data online.
Meanwhile, Gleason said it is unfortunate that Express Pass users will not be able to access their accounts until the security problem is fixed.
“Unfortunately, no one’s going to be permitted to access the website while DTS looks into the situation,” he said.