How Transit Companies Can Keep Their (And Your) Data Secure

We’ve seen a handful of attacks on public services over the past year. A couple of months ago, the San Francisco Municipal Transportation Agency was successfully victimized by hackers. While the damage done was minor, it’s the latest in a series of attacks on public services and government systems. An anonymous hacker claimed to have stolen more than 200 gigabytes of files from the Department of Homeland Security, which included the names and contact information of some 30,000 employees. And in Illinois, State Board of Elections officials believe voter personal information, such as driver’s license numbers and the last four digits of Social Security numbers, could have been accessed. In fact, my own data was leaked in a vendor’s system that processes online sales of hunting and fishing licenses. With the expansion of the Internet of Things, the threat of cyber attacks and information being stolen isn’t going away anytime soon. It’s not all bad news, though. Companies and consumers alike can take proactive steps to minimize risk and limit the damage that occurs if an attack should strike.

First, it’s important to know which attacks to look out for. While there are many different types, a few are among the most common. Malware – any software used to disrupt computer or mobile operations, gather sensitive data, or otherwise gain access to private systems – is often seen in one of several forms, including computer viruses, worms, spyware, adware, or ransomware. That last one, which is what was used in the SF Muni attack, is a type of malicious software designed to block access to a computer system until a sum of money is paid. In this case, though, no money was exchanged. Ransomware often utilizes a Trojan that has a payload disguised as a legitimate file. Clicking on that tainted file installs the ransomware.

Another threat comes not from outside hackers, but rather those closest to the company. Last year, a federal contractor was charged with stealing top-secret data. In this case, an employee had top-secret clearance and was responsible for an apparent leak that resulted in a cache of National Security Agency hacking tools appearing online. It can be difficult to know what an employee might do that could compromise security, whether willingly or unknowingly. That’s why it’s critical for transit companies to take action to limit their exposure to these types of attacks.

For starters, employee education is a must. Insufficient training is cited as one of the major mistakes a company can make, when it comes to protecting information. Companies need to hold their employees accountable; this means educating them on the company data policy and making sure they’re using strong passwords on all devices. Furthermore, companies should consider implementing limits on data their employees can access. Once an employee leaves the company, the company should make sure all of their devices are returned, reset to factory settings, and equally as important, that any servers the former employee was able to access have their passwords updated.




Transit agencies should regularly submit to external security and IT audits. The benefits of an audit are plentiful: it identifies weaknesses in internal control, lends credibility to financial statements, and provides unbiased, expert recommendations. In Austin, an annual comprehensive report contains financial statements audited by an independent external auditing firm. This varies annually; previous auditors have included Padgett Stratemann and KPMG. Every three years, the U.S. Department of Transportation’s Federal Transit Administration conducts an assessment of grantee compliance with Federal requirements, and every four years, certain metro transportation authorities must prepare an audit. This audit looks at the agency’s compliance with the applicable state law, recent trends in several performance indicators, and topics around agency administration, management, system maintenance, and operations. These criteria vary per state, so transit companies should check the most recent guidelines within their state lines.

Finally, a company should take a look at the information they’re collecting from consumers – is all of it truly worth obtaining? While all data should be backed up regardless, it’s a good idea to see if some of the personal data that’s gathered, such as date of birth or the last four of an SSN, is really necessary. That could help minimize damage in case of a breach. And if the worst-case scenario happens and a breach does occur, be transparent and take action quickly. 47 states require disclosing a breach, if it occurs. Customers will be much more likely to once again trust a company that is honest and upfront when a situation arises.

Consumers, meanwhile, should utilize strong passwords on their devices and any apps or websites they use. Consider this: the most common passwords include “password” and “123456.” That’s pretty embarrassing. Use a mix of letters, numbers, and special characters and update your passwords every few months. If the idea of memorizing a lot of passwords seems daunting, try out a password manager.

Consumers should also take advantage of updates to operating systems and transit apps when they are available. I’ve heard people complain or hesitate about updating, but there’s a reason why updates exist. They’re patching, fixing, and improving the platform so you have a better experience. That includes upgraded security, as well. It’s worth taking the time to update whenever one is available.

Additionally, remember the old adage that if a deal sounds too good to be true, it probably is. Don’t click on any suspicious links in an email or download attachments, even if it’s from a transit company you use. Confirm on the company’s site or do a quick Google search – “company name + scam” is usually sufficient enough – to ensure a deal or offer is legitimate.

Transit companies and consumers must both play a part in data security. In the mobile space, trust between clients and servers is crucial in preventing a man-in-the-middle attack like the ones discussed above. Make sure the provider of mobile apps is a trusted company. By working together, we can ensure we’re taking the best action against potential threats. With a proactive approach, the damage done if an attack occurs can be minimized.

Please note that this article expresses the opinions of the author and does not reflect the views of Move Forward.