x
Breaking News
More () »

SunPass users' data was compromised...but FDOT didn't publicly disclose it

10Investigates continues to expose SunPass problems the state has tried to keep quiet.
Credit: 10News
SunPass lanes on a Florida tollway.

TAMPA BAY, Florida – 10Investigates has learned the personal data of some SunPass customers was compromised, but the Florida Department of Transportation (FDOT) never made the problems public. And, the agency has not provided any evidence as to how widespread the problem was.

TIMELINE: How 10Investigates uncovered the SunPass mess

It’s the latest discovery from 10Investigates, which has spent the better part of the 81-day disruption uncovering issues related to the botched SunPass system upgrade -- and the state’s repeated attempt to downplay the problems.

FDOT initially said the SunPass system overhaul would take just six days and be completed by June 11. But, the problems continue well into a third month.

In mid-July, a 10News viewer reported receiving a call from a panicked stranger who logged onto her SunPass account, but got a screen full of his personal information, including his address, phone number, tolling history, and access to change his security challenge questions. Likewise, the viewer said he was able to access the female stranger’s information when he logged onto his account.

“I panicked,” said the viewer, who asked not to be identified due to his history in law enforcement. “I have a family [and] now another unknown party has my address, my phone, my email address [and] my security questions.”

It’s unknown exactly how long the information was exposed, but the viewer said it took SunPass five days to acknowledge the security failure after he reported it to customer service on July 12 – more than five weeks after FDOT and its contractors flipped the switch on the new system.

“Someone else had full access to my identity and [FDOT] left it up to me to fix,” the viewer said. “I couldn’t be more dissatisfied by just their total lack of concern at how many other people don’t know they’ve been compromised.”

An FDOT spokesperson says only 38 customers – out of more than six million – were affected, but has not returned any requested documents that could verify that claim.

UPDATE: Only after this report was posted Monday afternoon, FDOT provided a series of emails between July 18 and July 30 where state employees and contractor Conduent try and sort out what to do about the problems caused by "defective software."

On July 30, Conduent indicated it handled the problems itself, and assured state employees only 15 accounts were "potentially compromised." It does not appear any further investigation was done.

No public notice

No notice about the compromised data ever went out to SunPass customers or state media outlets, other than notification to 15 individuals. Several key lawmakers involved in transportation told 10Investigates Monday they had not heard of the issue either.

The viewer who contacted 10Investigates said his only notification from the state was a pair of voicemails that informed him someone “may” have accessed his account and he “may” want to change his username or password.

FDOT only admitted the problems to 10Investigates after weeks of questions and an initial FDOT denial that any data breach occurred. Whether the compromised personal data qualifies as a “data breach” is open to interpretation.

Florida State Statute 501.171 defines a breach as an “unauthorized access of data” in electronic form containing “personal information,” including a name and at least one piece of sensitive information, such as social security number, a driver license number, or certain pieces of financial information. It would not appear the SunPass problems compromised the most sensitive pieces of personal information.

However, according to FSS 501.171, a data breach can also include “username or e-mail address, in combination with a password or security question and answer that would permit access to an online account.” The viewer who contacted 10Investigates said he was inadvertently given enough access to a stranger’s account to change her login email and security questions.

State law requires government agencies to file reports of any data breach within 30 days, and alert affected individuals in writing “as expeditiously as practicable.” It does not appear the state alerted the affected SunPass customers in writing.

There is a clause in the statute that allows an agency to forgo noticing affected customers if, “after an appropriate investigation and consultation with relevant federal, state, or local law enforcement agencies, the covered entity reasonably determines that the breach has not and will not likely result in identity theft or any other financial harm to the individuals whose personal information has been accessed.”

Requests for FDOT records on the problems have not yet been returned from a week ago.

UPDATE: After this story was posted Monday afternoon, FDOT provided a statement to 10Investigates indicating "Conduent immediately resolved the issue" and notified the state of the issues on July 25, 2018.

However, that was 13 days after the problem was reported by the 10News viewer to customer service. FDOT says only 38 accounts were vulnerable and only 15 were accessed; Conduent notified those 15 customers in July.

Following the publishing of this report, FDOT says it will "be giving written notice to the 15 customers with ways to minimize or eliminate any potential harm. The Department will be ensuring these customers are not harmed by Conduent’s performance."

FDOT knew of risks ahead of time

Just six days before FDOT flipped the switch on its new system, the agency’s security risk and compliance consultant sent a series of emails to Florida Turnpike executives and project managers indicating urgent concerns regarding customer data.

“This is concerning and could potentially put our customer’s (sic) data at risk,” Freddy Guidotti wrote in a May 31 email after he was alerted a SunPass test site was available on the unsecured internet.

“We need to discuss this ASAP!,” he wrote in another May 31 email to Florida Turnpike Enterprise Director of Toll Systems Buzz Holland.

But FDOT and its contractors went ahead with the transition on June 6 anyway, setting off a chain reaction that continues to disrupt hundreds of thousands of customers’ accounts nearly three months later.

10Investigates obtained the emails through public records requests, but FDOT has not yet responded to additional requests for more information.

UPDATE: After this story was posted Monday afternoon, an FDOT spokesperson said Monday the personal data concerns from May were unrelated to the personal data compromised in July.

Advice to SunPass customers

It's still unclear how long or how many SunPass accounts were left exposed by FDOT and Conduent.

So Sri Sridharan, Managing Director & Chief Operating Officer for the Florida Center for Cybersecurity at USF, suggests all customers log in to their SunPass.com accounts to change their passwords. He says it's good regular cyber-hygiene for any online account.

Given SunPass’ data migration and security problems, he also suggests verifying your personal information and toll transactions are all correct as well.

Dozens of customers each week are telling 10Investigates they are discovering what appear to be billing errors on their accounts, creating massive hold times in the one-to-two-hour range on the customer care lines.

FDOT response to other problems

Below is a running report card of SunPass issues 10Investigates has been covering:

Transparency

Issue: Downplaying of problems; FDOT's slow response to questions and records requests.

Concern: Floridians had no idea how bad the SunPass failures were until 10Investigates broke the news on June 19 that the state was unable to process tens of millions of toll transactions. It was another week before the state even acknowledged problems, and it continued to try and downplay the severity of the system disruption. No public notice was given when dozens of drivers’ personal data was accidentally compromised in July.

Response: In the two months since 10Investigates' first report on the failures, FDOT has not gotten much more forthcoming with information. The agency refuses to acknowledge interview requests and has even sent simple records via U.S. mail, seemingly to try and delay their release. The public still has no explanation -- outside of 10Investigates' reporting -- of how 6 million customers were inconvenienced so badly.

Report Card: Failing

IT problems

Issue: Technology meltdown limited access to SunPass accounts, the SunPass website frequently crashes and billing was delayed by weeks and months.

Concern: Customers couldn't access receipts to get work reimbursements, got hit with large and unpredictable charges when tolls finally were processed, and the delays mean account errors are very difficult to spot and correct.

Response: FDOT, its partners, and its vendors have been working around-the-clock to fix the computer issues, and they have announced there will be no fines or penalties on customers during the ongoing disruption. The toll backlog was finally cleared Tuesday for many SunPass users, but EPass and toll-by-plate customers are likely still seeing long delays in billing. The state has rolled out its plan to reimburse customers for bank overdraft fees. But account errors -- of which there are multiple indications there are plenty -- are the responsibility of the customer to identify and report before refunds are issued.

Report Card: Improvement noted

Customer service

Issue: Frustrated customers unable to get problems fixed

Concern: Some customers have to wait more than two hours to speak to representatives, and their emails to SunPass go days without a response.

Response: An FDOT spokesperson says extra staff members have been dedicated to customer service but has been unable to provide specifics over the course of the last two months. In July, an agency spokesperson touted website improvements and Conduent's reduction of call center wait times; but in August, the website continued to crash and call center wait times exploded as more drivers discovered unexpected and some inexplicable charges on their accounts.

Report Card: Incomplete

Accountability

Issue: Contractors and FDOT all had a role in system failures; state not in a rush to sort it out.

Concern: Are contractors incentivized to get problems fixed fast? Will individuals who made big mistakes be disciplined? Will the state learn from mistakes to prevent it from happening again?

Response: Last week’s announcement that Florida's inspector general would investigate came only after 75 days and four 10Investigates interviews with Gov. Scott. No scope has been announced for the investigation, but the governor's office said it would likely be "broad." Payments were halted to Conduent in late June, but 10Investigates revealed the company is still getting paid on other contracts. The state announced an $800,000 fine to Conduent, and it said the company will pay for customers' overdraft reimbursements as well. However, no fines or penalties have been mentioned for corporation Atkins, the general contractor responsible for oversight on the project, or HNTB, the corporation that oversaw the awarding of the contract to embattled Conduent in the first place.

Report Card: Incomplete

Toll-by-Plate

Issue: Customers who use toll-by-plate or other mail billing have not received bills yet.

Concern: It appears the state has been unable to match all of the transactions to vehicle owners, delaying the posting of some charges. Viewers are also reporting errors in plate identification, landing other drivers' tolls on their accounts.

Response: An FDOT spokesperson says no tolls will be waived and invoices will go out "once quality assurance processes are completed."

Report Card: Failing

Want to view an interactive timeline of the SunPass maintenance woes? Click or tap here.

►Send your SunPass issues and other story tips confidentially to 10Investigates' Noah Pransky on Facebook or email him at npransky@wtsp.com

Before You Leave, Check This Out