Robust cybersecurity practices are required to protect personal data and the US transit industry. The Mineta Transportation Institute’s white paper Personal Data Protection as a Driver for Improved Cybersecurity Practices in U.S. Public Transit says efforts to modernise public transit and provide better, more efficient services regularly require information about who, when, where and how transit services are being used.
But expanding data collection increases the importance of secure data management and privacy practices – “something lacking in many US transit agencies”, it points out.
This is an important issue because, ultimately, transit agencies will be held to account for the security of the data they collect, process and leverage for service delivery or other purposes.
To give a little context, Mineta points out that the opportunity to collect and process data from vehicles and customers in public transit has “never been greater”, with technology developments in fare management and GPS vehicle tracking offering new data collection tools.
Among these new opportunities is information that - in the wrong hands – could be used to the detriment of an individual or group of people. Specifically, the theft and sale of personally identifiable information (PII) has what the paper calls a “robust marketplace, often referred to as the dark web, and can be quite lucrative”.
Identity theft
Gaining access to sensitive PII or a collection of data points that, when linked, provide a detailed profile of an individual, can facilitate fraudulent purchases, identity theft and illegal monitoring.
The US National Institute of Standards and Technology at the US Department of Commerce defines personal data as any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
In the US, the regulatory environment governing the protection and use of PII by public and private entities and an individual’s right to control how their personal data is used is “a patchwork at best”, Mineta says.
The US is also not among the 17 countries that have comprehensive national data protection laws in place, which include Canada, South Africa, Japan, New Zealand and Brazil.
US entities are going to face an “increasingly complex process” of navigating extra-territorial and data export requirements as more countries enact laws governing the data of their residents, the paper adds
Additionally, most digital privacy rights are being “crafted at the state level”, with California’s Consumer Privacy Act as the leading model.
Types of data
According to the paper, this increases the importance for transit agencies to have a clear picture of the types of data they and their vendors collect, and the ability to comply with local and state rules potentially governing this information.
Last October, the Transportation Security Administration issued a directive outlining new cybersecurity mandates for railroad and rail transit systems, and the authors of the paper expect the same provisions to be rolled out to large transit providers.
Among the new mandates are requirements for companies to designate a cybersecurity point person at their organisation, and for any cyber incident to be reported to the Department of Homeland Security in a timely manner.
Elsewhere, the paper explores the use of facial recognition (which has recently been introduced on Moscow’s Metro system). Mineta advises that the “well-documented shortcomings” of the technology in accurately identifying an individual create several reasons why transit agencies should pursue such data collection with “extreme caution”.
Biometric data, especially when combined with other personal data points, constitutes PII and introduces “additional levels of complexity” to data management.
For example, still photographs are not PII on their own, but become biometric data when run through facial recognition software.
The document highlights that a patchwork of state and local laws governs the collection and use of biometric data, something with which any agency considering facial recognition needs to be “well versed”.
Another part of the document focuses on employee records, warning that a failure to adequately secure employee data and records places “large troves” of PII at risk of exploitation by “nefarious actors”.
According to Check Point Research, the global transit industry has experienced a 186% year-on-year increase in weekly ransomware attacks since June 2020.
TransLink ransomware attack
For instance, a ransomware attack hit Vancouver’s transit provider, TransLink, last December, shutting down some modes of payment for customers.
The perpetrator was identified as the Egregor ransomware gang, a group known to sometimes publish stolen information even after a ransom payment. TransLink did not pay the $7.5 million ransom because of this risk.
The paper insists that transit agencies must ensure that employees can be confident their personal information, like banking details and healthcare records, is secure. A failure to protect this opens the employee up to potential harm and the company up to lawsuits.
A separate section of Personal Data Protection as a Driver for Improved Cybersecurity Practices in U.S. Public Transit provides steps to protect PII, clarifying that the ability to protect sensitive personal information collected by transit agencies and their vendors starts with the overall enterprise risk and security practices of the organisations. Some steps for protection include: reviewing the types of information being collected and how it is used, as well as articulating the organisation’s privacy policies in accordance with local, state and federal laws, business needs, legal ramifications and customer data privacy interests. Another recommendation is to ensure proper controls are in place, per agency cybersecurity policies and protocols,to limit internal and external access to PII.
Mineta’s paper concludes by saying that if the agency does not yet have the cybersecurity capabilities to reliably secure specific data flows, perhaps it would be best to forgo collection until such time that securing them is possible.
