Skip to main content

State Comptroller DiNapoli says Thruway Authority lacking in security for credit card data

New York State Comptroller Thomas DiNapoli’s office released an audit report stating the state Thruway Authority does not have the updated security measures needed to protect credit card data used to make payments to the authority.
October 3, 2017 11:39 pm

ALBANY — The state Thruway Authority does not have updated security measures for credit card data and does not meet state security standards, which puts motorists who pay tolls or E-Z Pass charges on their credit cards at risk, according to findings from an audit released Tuesday by state Comptroller Thomas DiNapoli.

The audit looked at compliance with Payment Card Industry Data Security Standards from March 1 through June 5.

During that time, the authority directly processed approximately 66,000 credit card transactions totaling more than $1.4 million, according to the audit.

“The authority has not taken fundamental steps to secure its network,” according to the audit. “For example, it had neither classified its data, nor accounted for all of its systems that process or store credit card information. In addition, it had not performed a risk assessment covering its Cardholder Data Environment.”

The authority accepts in-person credit card payments for E-Z Pass tags as well as payments over the phone or online for unpaid tolls, accident reports, oversized truck permits, commercial accounts and other costs.

With the recent breach of Equifax, a credit report company, that state Attorney General Eric Schneiderman said affected more than 8 million New Yorkers, securing personal data is a point of heightened sensitivity.

According to the audit, the authority was not complying with State Data Security Standards and there are weaknesses in the authority’s security systems protecting cardholders’ data.

“During our audit, we found several weaknesses in the Authority’s operational and technical data security controls over cardholder data that require management’s attention,” according to the audit. “Some stem from the authority not yet having effectively implemented certain core elements of an information security program for cardholder data.”

The audit also found that management was unaware of the security weaknesses because it had not reviewed all parts of the system that handles cardholder data called the Cardholder Data Environment.

“The authority had not made formal attempts to account for all aspects of its CDE, including the specific systems that handle credit card information,” according to the audit. “As a result, management was unaware that weaknesses and gaps existed in the security controls over the data and, consequently, could not take timely remedial actions.”

“Without a complete inventory, some system components could be excluded from the organization’s configuration standards or not securely protected, leaving them vulnerable to security threats,” according to the audit.

The comptroller’s office recommended that the authority take inventory of all assets related to payment card processing activities, conduct a risk self-assessment, develop and disseminate policies and procedures that clearly define information security responsibilities for all personnel and strengthen physical security over all systems that receive, process, transmit and maintain cardholder data.

The authority was generally dismissive of the comptroller’s concerns and recommendations in its response to the audit, saying it already is in the process of implementing the items in the comptroller’s list of recommendations.

“Over 99.9 percent of the authority’s credit card activity is processed by our contracted E-Z Pass vendor and was in full compliance with security standards,” said Adam Wood, chief of staff for Thruway Authority Chairwoman Joanne Mahoney. “The audit is focused on 0.1 percent of our credit card activity and did not find that any of the authority’s credit card data had been lost, stolen, or compromised in any way.”