When the New York MTA initially announced its transition to the OMNY tap-and-go system, security experts voiced skepticism, and those concerns were validated in August by a 404 Media investigation. The revelation that the trip history feature could potentially expose riders’ location patterns prompted the MTA to disable the feature. This incident highlighted a broader issue prevalent in contemporary public transit systems: the difficulty in opting out of the collection of sensitive data.
Brendan Saltaformaggio, an associate professor specializing in cybersecurity at the Georgia Institute of Technology, remarked, “You’re building a better system, but you’re also really stepping into a dangerous cybersecurity minefield.”
Ridership data, encompassing payment information, location data, and trip patterns, can be linked, with transit agencies claiming to utilize this information for service improvements. However, the downside involves the potential sale of user data to advertisers, mirroring practices in the private sector, or sharing it with law enforcement. To delve deeper into this issue, Freedom of Information Act requests were submitted to various major police departments, including those in New York City, Baltimore, and Chicago, seeking information on data requests made to local transit agencies over the past decade.
However, even if the data remains dormant, it becomes increasingly susceptible to a breach without the implementation of secure infrastructure to safeguard it. The primary motivation for most ransomware groups is financial gain. While the data may be in jeopardy, hackers are typically aiming to coerce public transit agencies into paying a ransom to avoid a potential data leak or being locked out of their systems. Instances of such incidents include the Washington Metropolitan Area Transit Authority in Washington, DC, earlier this year and a ransomware attack that disrupted the Washington state bus system in March. Although the main objective is financial, personal data can still be compromised in the process, as evidenced by a data leak after hackers accessed San Francisco’s Bay Area Rapid Transit at the beginning of this year.
Brendan Saltaformaggio highlighted the challenge faced by these organizations, noting, “These are organizations that run on shoestring budgets, usually heavily supported by taxpayers, who are probably not going to be very excited to see all of this money being spent purely on cybersecurity with hopes of not having an incident in mind.”
The measures taken by each agency to protect sensitive information vary widely. While the Federal Transit Administration and the American Public Transportation Association offer guidelines on handling such matters, experts caution that agencies nationwide remain vulnerable to attacks and struggle to ensure the security of the data they have access to.
Transitioning to digital payments for public transit is a logical step. However, despite the growing trend toward a cashless society, physical currency remains ingrained. Joshua Schank, managing principal at transportation and financial advisory firm InfraStrategies, notes that attempts by transit agencies to eliminate cash payments may face significant backlash, as a substantial portion of the population still relies on cash for transit.
Nevertheless, alternatives like RFID-powered cards, mobile apps, and digital wallets have gained popularity, offering benefits such as free transfers and incentives from credit card companies partnering with transit agencies on non-cash payment options.
While cash payments are still accepted in many places, opting for this method often forfeits the mentioned perks. Some agencies offer the option to purchase a card with cash, but the process is less convenient. For example, obtaining a ConnectCard in Pittsburgh requires visiting a third-party location, buying a $1 card, and having cash on hand to reload it when empty. In New York, a physical OMNY card costs $5, equivalent to one subway ride plus part of the next trip (although a limited-time deal sells cards for $1 at OMNY vending machines).
Transit agencies seem to encourage the shift to data-collecting apps and RFID smart cards, potentially penalizing individuals who prefer cash for reasons such as privacy concerns or limited banking access. This approach adds inconvenience and cost for those who choose to maintain anonymity while commuting.
Addressing these issues requires federal regulation, according to experts. Until then, exchanging personal information for marginal convenience gains in public transit remains an unavoidable aspect of the system.