Ex-CTA employee reported a security glitch, then he was fired, lawsuit alleges

[InfoSec News <alerts () infosecnews org>]

https://www.chicagotribune.com/business/transportation/ct-biz-cta-bus-system-lawsuit-bus-alerts-20191204-hk4aydeo2jah5icvfnj24a4e2a-story.html

By Mary Wisniewski
Chicago Tribune
December 4, 2019

A former CTA computer programmer has sued the agency, alleging that he was 
forced to resign for pointing out a security flaw in the bus alert system.

Christopher George Pable, 34, of the Austin neighborhood, filed a whistleblower 
complaint against the CTA and technology company Clever Devices Ltd., a CTA 
contractor from Woodbury, New York, in federal court in Chicago this week.

Pable had worked on CTA’s information technology systems, including a Clever 
Devices system called “BusTime” that broadcasts alerts about buses to the 
public, the lawsuit says. BusTime provides estimated arrival times and alerts 
to riders, such as when a bus has to be rerouted. Customers get alerts through 
emails, on the CTA website or via electronic signs in stations.

Pable discovered a security flaw — or “skeleton key” — in BusTime that could 
allow unauthorized access into the system, the lawsuit alleges. Pable told his 
supervisor, Michael Haynes, who decided to test the skeleton key by issuing an 
alert on the Regional Transit Authority for Dayton, Ohio, which also had 
BusTime, the lawsuit alleges.

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_