B.C. Ferries customers who pay with a credit card are being put at risk by flaws in the company's data security system.
Recent internal audits conducted by the ferry corporation have identified glaring deficiencies in the way in which the company is protecting sensitive customer credit card information.
And internal company documents obtained by The Globe and Mail indicate B.C. Ferries faces substantial fines and other penalties reaching into the millions of dollars if that information falls into the wrong hands as a result of unaddressed weaknesses in the company's data security operation.
The ferry corporation processes up to $400-million worth of credit card transactions a year. It is required under the Payment Card Industry Data Security Standards (PCIDSS) to safeguard and protect the use of customer credit card data. It is also required to "properly use and dispose of its (credit card) data."
In order to be compliant with industry standards, there needs to be zero gaps identified in any audit. However, one audit the company conducted last fall revealed as many as 45 deficiencies in its data security system.
David Hahn, B.C. Ferries president, said in an interview that the problems will be remedied by the fall. Meantime, he said, the credit card information of travellers is secure.
"There are still enough flags in place to recognize problems," Mr. Hahn insisted. "We catch credit card scammers all the time. We're pretty diligent on this stuff. We are confident that are system is safe and won't be compromised.
"We take security matters extremely seriously."
It was revealed yesterday that thousands of ferry customers who travelled over the Easter weekend were double billed on their credit cards because of a breakdown in the company's data system. Ferries said the malfunction was caused by the high number of refunds the company had to process because of sailing cancellations due to high winds.
According to an internal company document, PCIDSS sets out requirements that any organization processing credit or debit cards must follow in order to be compliant. For instance, all personnel authorized to access credit card information should have unique identification to ensure users are traceable. The Ferries audit found that the same user ID was being used by multiple people.
PCIDSS insists all access passwords be stored in an unreadable format. The audit uncovered instances of passwords stored in plain text formats. Also, all database access should be monitored. The report found that "auditing was not enabled on the database."
Perhaps most concerning of all, security standards insist that an archiving policy must be in place and data should only be stored as long as required. But B.C. Ferries has several years worth of unnecessary credit card data remaining in various databases. The report says that data are being duplicated across a half dozen databases.
An example scenario outlined in the documents obtained by The Globe explains the current situation this way: "A customer makes a reservation, purchases a travel fare and buys food using their credit card. This credit card information is now located in five production databases. Due to ongoing development and testing, the environments are refreshed from production.
"The customer's credit card information is potentially in up to 28 databases, as well as the POS (point of sale) site server. At the end of 30 days there are 840 instances of the customer's credit card data. At the end of 60 days there are 1,680 instances … and at the end of 90 days there are 2,520 instances."
The report says that while there is an encryption key to secure the customer data, "the encryption routine is not fully secure or monitored/audited."
"This means that at the end of 90 days there are 2,520 instances where the sensitive data could potentially be retrieved/accessed," the Ferries' document states. "Since not all credit card data is encrypted, this risk has now increased further."
The document indicates that Ferries could face substantial fines and other penalties measuring in the millions of dollars if there is a breach of credit card security because of current deficiencies.
For instance, it would have to pay the $30 replacement fee for any credit card that is exposed to potential fraud. For 100,000 cards that would be $3-million. The company could also face up to $1-million in fees and fines until it is deemed complaint by the Payment Card Industry council.
The report also suggests the corporation is at risk of class-action lawsuits if there is a security breach.
If not fixed, the document says, financial implications also include: "Potential loss of merchant status resulting (in) inability to process credit cards (loss of millions of dollars - majority of revenue is credit card)."
Mr. Hahn said a request for $500,000 in funding to address the security deficiencies was approved in March. But he acknowledged that the compliance gaps won't be fixed until November - that's how long it will take for the system updates to be completed.
He said industry security standards are constantly changing and he was sure that when another audit is "done in three or four years' time it will identify other problems that will need to be addressed."
But Gary Coons, New Democratic Party MLA and his party's critic for the ferry corporation, isn't buying it.
"It's shocking," said Mr. Coons.
"I think it's outrageous and quite frankly scandalous that customers and the public have been kept in the dark for months now about these non-compliance gaps in protecting valuable credit card information."
Mr. Coons said seven months was too long to wait for the problems in the system to be addressed.
"It's just unacceptable and deplorable," said the MLA for the North Coast. "But it seems obvious that David Hahn and the board of directors think that it's okay to wait seven months to fix the system. If that's their take on it I think the Minister of Transportation needs to get involved immediately."