Despite promising the public it had fixed a privacy issue in the most heavily used public transport system in the U.S., the Metropolitan Transport Authority (MTA) somehow managed to actually not fix a directly related issue, and instead left a gaping hole that allowed me to obtain trip histories stretching back all the way to March.
Now, after I showed them this additional hole, the MTA has disabled the ability for people with accounts on OMNY, the contactless payment system for the New York City subway, to look up their trip history. In short, it was possible for malicious third parties to pull up months worth of trip histories with just a target’s credit card information. The news follows another report by 404 Media in August which found a similar issue which could reveal 7 days worth of data and which the MTA plugged. The new issue impacted a much greater stretch of time
“This feature has been removed while we evaluate new tools to serve our customers,” a message on the OMNY website reads when a user is logged in and viewing the “Trips” tab.