Laura Bliss is a staff writer at CityLab, covering transportation and the environment. She also authors MapLab, a biweekly newsletter about maps (subscribe here). Her work has appeared in the New York Times, The Atlantic, Los Angeles magazine, and beyond.
It’s not just Uber. New transportation services come with data risks, even when they’re from a public agency.
Had Uber not agreed to pay a $100 million ransom to hackers last year, the personal data of some 57 million riders and drivers may have been exposed. That 2016 breach, which was kept secret for one year by the world’s largest ride-hailing company, is now the subject of multiple state investigations.
Apart from being a fresh round of bad press for the oft-bruised company, the news is a reminder that data hacks are a new normal for consumers of all kinds of goods and services, including mobility. That not only means app-based, private services like ride-hailing and microtransit that depend on personal hardware, like credit cards and phones, but also public transport.
To streamline boarding and compete with emerging technologies, transit agencies are increasingly rolling out “contactless” payment systems. New York City’s MTA announced in October that it will built such a system beginning in late 2018, installing new fare collection readers in 500 subway stops and 600 buses that allow passengers to wave a smartphone or certain type of credit cards to board. The Boston’s MBTA will work with the same company, Cubic, to adopt that technology in 2020.
London is known for pioneering a similar system. About 25 percent of its trips are paid via waggling smartphones or credit cards across the London Underground; the majority of the remainder are made via contactless Oyster card. Transport for London, the agency that operates the underground, has been subject to numerous data leaks in the years since adopting both contactless systems—not criminal hacks, like Uber’s, but low-level and even inadvertent compromises.
The president of Cubic, which also now handles London’s contactless payment systems, told the New York Times last month that the technology has been upgraded numerous times to reduce vulnerabilities, and that the system New York is getting is based on even newer banking-industry security standards.
Still, the fact remains that public agencies are increasingly making themselves accountable for the safekeeping of customer data—a relatively new paradigm, at least in U.S. cities.
“[They] used to think [hacks] only happened to the private sector,” said Greg Rodriguez, a Washington, D.C.-based lawyer who specializes in helping the public sector adopt new technologies. “That is no longer the case, as hackers have realized that public agencies have only recently started to address cybersecurity issues for their systems.”
Just this past weekend, hackers attacked the Sacramento Regional Transit’s computer network, erasing data and threatening to do worse harm if the agency failed to cough up a bitcoin ransom. (The agency determined that no data had been stolen.) San Francisco’s MTA experienced a similar breach last Thanksgiving.
Passenger data was not affected in either instance. But as public agencies launch new mobility technologies focused on convenience—including contactless payment, app-based “microtransit” options, and connected vehicles—“these vulnerabilities are going to grow,” Rodriguez said.
It might be an awful lot to ask cash-strapped public transit agencies to maintain banking-industry-level safeguards on our personal data. But the answer is not to bring back hacker-proof tokens (or, in New York, to stick with highly fallible and easily lost yellow Metrocards). It’s more about recognizing the tradeoffs that come with every new and “improved” technology. Security experts widely acknowledge that 100 percent cybersecurity, in virtually any system, is impossible. Public agencies are beginning to implement rigorous cybersecurity practices. But as customers start to use the same tools to board buses and trains as to shop at Target and pay for car rides, they’ll have to realize that the same risks are there, too.