The Tap and Go Transport Service, which allows passengers to conveniently pay for their fares using a reloadable card, which can be tapped on designated devices installed on buses or rails, has proven to be a medium that makes Ghanaian commuters susceptible to Cyber fraud attacks.
Vice President, Dr. Mahamudu Bawumia, launched the Tap and Go Transport Service in Accra on Monday, February 19, at the Head Office of Metro Mass Limited.
Dr. Bawumia highlighted that the new Tap and Go digital system is not confined to intra-city transport like Aayalolo. Instead, it is expansive and designed to support various public transport services. This includes parcel deliveries and tracking, taxi hailing, inter-city bus services, as well as inner-city bus services such as Metro Mass and Aayalolo.
Following this, Yayra Koku, reportedly affiliated with the National Democratic Congress (NDC), voiced apprehensions suggesting potential privacy risks for commuters utilizing the service.
Another X user, Edward Adjei, a Software Engineer & Site Reliability Engineer took it upon himself to expose the vulnerability of the newly launched system.
He managed to gain access to 1,079 user logins and details with different role levels, and he also accessed panels (three different websites for this project) and some video recording from the monitoring software’s server.
He managed to also get access to the financial details of these users, including their bank accounts, code, mobile money among others.
According to Mr Adjei, his sole purpose is to lay bare the flaws of the systems and how several citizens risk being defrauded or having their bank accounts hacked.
“Web server is pretty old and could crash with certain specially crafted payload sent to it. Can easily deny services for all services. Here’s one of the issues. It’s a high vulnerability. Fix now,” he added.
Mr Adjei noted that after gaining access to the server, he got access to a lot of other Asian recordings, compelling him to find out if the Tap and Go Transport Service is made solely for Ghana.
The flaws in the Tap-and-Go bus monitoring system contravene the general data protection regulation (GDPR), which is the strongest privacy and security law in the world.
The GDPR defines:
- individuals’ fundamental rights in the digital age
- the obligations of those processing data
- methods for ensuring compliance
- sanctions for those in breach of the rules
Obligations for businesses and organisations
The GDPR establishes the general obligations of data controllers and of those processing personal data on their behalf (processors).
These include the obligation to implement appropriate security measures, according to the risk involved in the data processing operations they perform.
Controllers are also required in certain cases to provide notification of personal data breaches. All public authorities and those companies that perform certain risky data processing operations will also need to appoint a data protection officer.
Individuals can lodge a complaint with a supervisory authority and have the right to judicial remedy and compensation. They have the right to have a decision by their data protection authority reviewed by their national court, irrespective of the member state in which the data controller concerned is established.
Severe sanctions are provided for against controllers or processors who violate data protection rules. Data controllers can face fines of up to €20 million or 4% of their global annual turnover, according to the EU.