Security experts had concerns about New York MTA’s switch to an OMNY tap-and-go system. In August, a 404 Media investigation revealed the potential for anyone to follow specific riders’ location patterns. The MTA disabled the feature, highlighting the broader issue of modern public transit systems making it difficult to opt-out of having sensitive data collected.
Brendan Saltaformaggio, a cybersecurity expert from the Georgia Institute of Technology, warned of the dangerous cybersecurity implications of these systems. Our payment information, location data, and trip patterns are all attached to our ridership data. Transit agencies claim to use this data for improvement but may also sell it to advertisers or share it with law enforcement.
The data is also vulnerable to breaches without secure infrastructure in place to protect it. Ransomware gangs are motivated by money and often target public transit agencies to extort payment by threatening data leaks or system lockouts. Several major police departments were found to have requested data from local transit agencies over the past decade.
The protection of sensitive data varies widely across different transit agencies. While digitizing public transit payments is practical, cash payments are still widely used and eliminating them could lead to backlash. The convenience and perks offered by non-cash payment options may not be accessible to those who rely on cash.
Unfortunately, there is no immediate solution to this issue without federal regulation in place. In the meantime, commuters are forced to exchange personal information for minimal convenience gains.
