By New Times
By Connor Radnovich
By Robrt L. Pela and Amy Silverman
By Ray Stern
By Keegan Hamilton
By Matthew Hendley
By Monica Alonzo
By Monica Alonzo
When Dana Weick decided to register his car online earlier this month, he had no reason to suspect that his credit-card number, its expiration date and his home address would be made available to the public. Weick expected a Web site affiliated with the government and run by IBM would be sophisticated enough to be leak-free.
Unfortunately, Weick, along with hundreds of others, thought wrong. Because of a security oversight on the ServiceArizona site (www.servicearizona.ihost.com), Weick's records, as well as those of other Arizona residents who had registered online, were posted on the Internet.
Neither IBM, which administers the site, nor the state Department of Transportation, which oversees motor-vehicle records, was aware that--for months--consumers' credit-card numbers were available to anyone with even the slightest bit of Internet savvy. No hacking needed. The problem was fixed last week after IBM and DOT learned of the site's lax security system.
Still, Weick and other motorists--who had their card numbers floating through cyberspace--aren't sure on how many hard drives the numbers might have landed. Neither IBM nor state officials would say how many Arizonans had taken advantage of online registration, but a casual check shows that about 300 people use the system each month.
ServiceArizona is the first "electronic commerce" Web site that IBM wants to offer state governments nationwide. Arizona DOT officials liked the idea, because it could shorten long lines at Motor Vehicle Division offices, especially at the end of the month when car owners--who have waited as long as possible to fork over their hefty registration fees--finally pay up. IBM benefits from the program by keeping the $6.95 fee it charges for each registration.
Michael Monti, a Tempe restaurant owner, likes the idea, too. He had forgotten to register his company truck last month. The day the registration expired, he had a large catering job scheduled and no time for a trip to the MVD, he says. Instead, he registered the truck on the ServiceArizona site, which only took a couple of minutes, and the coverage was immediate. Monti says he will "eagerly" use the Internet to register next year despite the security flaws.
"When you use the Web to do anything, you're sticking your neck out," says Monti. "If you want the benefit of this technology, you have to run the risk."
Weick says he, too, will register online again despite security concerns after his recent discovery. After punching in his credit-card information and completing the registration process from his computer at work, Weick surfed around the site for a few minutes. Without any warning or prompting for a password, he says, he found himself on a page with a list of logs for each day's transactions. His name and address, the make and model of his car, the car's value and license-plate number were on that day's log. So were his credit-card number and its expiration date.
"I'm a little sensitive to this [type of security problem]," says Weick, an engineer. He'd found his credit-card number by chance once before in another database on the Web, while using a search engine.
After seeing his personal information posted on the ServiceArizona site, Weick immediately called his bank and had his card canceled--just to be safe.
Records dating back to March 1 were available until last Thursday when New Times--which had been alerted to the potential screw-up by Weick--contacted DOT and IBM about the problem. That was the first anyone had heard of it, according to Mark Nelson, an IBM spokesman.
"IBM regards the security and the privacy of our customers to be of the highest priority," says Nelson. "Once we became aware that there was a possible security breach on the ServiceArizona Web site, we immediately closed the thing down."
IBM fixed the problem, and the site was accepting online registrations again as of 10 a.m. Monday.
ServiceArizona is run by IBM's Global Government Industry program headquartered in Bethesda, Maryland. IBM does not bill the state for the service. Instead, it keeps the $6.95 "convenience fee" charged to users for each online registration. There are hyperlinks on the DOT and MVD sites to ServiceArizona, and the ServiceArizona site links back to both of the state's Web sites.
Nelson says an internal investigation showed that "human error, not a failure of our security technologies, was the source of the problem" and that a programming error caused it. He also says that IBM does not plan to tell users of the site what has happened. Instead, IBM notified the credit-card companies involved in the transactions.
Nelson also says an IBM review of use of the service shows only a few people actually accessed the personal data while it was mistakenly available.
Arizona DOT and MVD are not responsible for the security of the ServiceArizona site, according to Katherine Kissel, a public information officer for the MVD. "This is not something technically we have control over," says Kissel. "However, this would make us very unhappy."
But both security and privacy experts consider IBM's lax security a serious problem, especially on a site that contains public records and credit-card information.
Since the information was not knowingly released, DOT might legally be off the hook, says David Banisar, staff counsel at the Electronic Privacy Information Center (EPIC), a public-interest group in Washington, D.C. But, he adds, the state still has a "moral obligation" to tell people what happened.