The September report written by Comptroller Thomas diNapoli showed that Thruway Authority of the New York state was not cognizant of it processing and consequently storing debit card and credit card information. As per the report, it did not protect this information at par with the industry standards. Assemblyman Thomas Abinanti said that the situation was prime for a hack. This report was published in September.
Third party and transaction values
Conduent, a third party vendor, handles the majority of the transactions. The Thruway Authority manages a few credit card payments in case of special circumstances. The list of such circumstances includes purchasing the E-ZPass tags. The customer must buy at the Albany headquarters and also in other two locations in Tarrytown and Nyack. The circumstance list also includes the payment for unpaid accident reports or tolls or oversized truck permits. Commercial accounts come under this purview. As per the audit, the Thruway Authority processed approximately 66,000 credit card transactions from first of May, 2015 to the last day of April, 2016. The total value of all transactions during this period came to about $1.4 million.
The internal network of the Thruway Authority stores and processes the information. The audit says that this information was not secured as it should be. The report then further elaborates on to say that the systems of the Thruway Authority were not noted for their handling of sensitive data. The report pointed out a number of deficiencies like zero procedures or policies concerning retention of data, their encryption, and lastly, disposal. No safeguards were installed against protecting the systems from malware. No restrictions were in place to limit access to the cardholder data. There were no user identification and also authentication.
The list of other deficiencies pointed out are that cardholder systems can be accessed by physical means. There was no system for monitoring network resources access and also the cardholder data. Media maintenance and store control systems were not in place.
Joanne Mahoney, the chairwoman of Thruway Authority, responded to DiNapoli's letter by saying that the agency is not in agreement with the stated recommendations. It pointed out that 99.9 percent of credit card activity was Conduent-processed. She assured him that the company was enjoying “full compliance” as per industry standards. In her response, the chairwoman wrote that the audit concentrated on only 0.1 percent of total credit card activity. She said that no credit card data was found to be compromised, lost or stolen in any way.