SALT LAKE CITY — A state website for Express Pass users that was taken down after the Deseret News inquired about a security flaw on the site has been repaired and is again available to customers.
The state ordered ETAN Industries, the vendor that operates the Utah Department of Transportation site under contract, to shut down the site Tuesday when it was notified of the security issue.
In an email sent to Express Pass customers on Friday, state officials said their investigation thus far has not uncovered any evidence that personal information on some 21,000 past and present pass users was illegally accessed, but they were continuing to review data logs related to the accounts.
"In cooperation with the vendor, the Utah Department of Technology Services has undertaken a forensic investigation of the website and to this point has found no evidence of malicious attempts to access information," the email read. "A security patch has been uploaded to the site, and the vulnerability has been resolved."
Tyler Fitts, a Sandy resident and IT professional who has been using the Express Pass for about four years, discovered the flaw and told the Deseret News in an interview earlier this week that accessing personal information on himself, and other Express Pass account holders, was far too easy.
"Takes a basic skill level, but no more than a basic skill level to be able to run through and get everyone's information on there," Fitts said. "I'm glad they took down the site while they get it figured out."
Fitts said he was checking his pass account balance last Friday and remembered he had received a notice to update his account password since the state had switched to a new provider in September. While working to update that password, his browser crashed. Being an IT guy, Fitts opened a window showing the computer code, an operation that only requires hitting F12 on most browsers, and was surprised to find his complete personal information showing.
"I was shocked that any state government would contract with someone who does this today," Fitts said. "It’s reckless."
The exposed information belonged to customers who have purchased passes for accessing HOV lanes and included names and addresses, phone numbers and credit card information — including the last four digits of account numbers and expiration dates, and even the security question and answer associated with the account. UDOT officials indicated there are currently 16,000 active Express Pass users and 4,000 to 5,000 nonactive users.Comment on this story
The email to Express Pass users also encouraged customers to regularly change passwords and security questions, a standard digital safety precaution, and promised to continue to monitor the website for security issues.
Stephanie Weteling, spokeswoman for the Department of Technology Services, said her agency would wait until completing its investigation before deciding what, if any, actions would be taken in regards to the contract with ETAN Industries. She also noted they've asked the Utah Attorney General's Office to review the contract with ETAN, which was signed in February.
ETAN Industries has not responded to multiple inquiries from the Deseret News seeking comment on the problem.