A security flaw allowed an employee working at WSDOT's Good to Go customer service center to steal account holders' credit cards and use them to rack up charges as part of a larger scheme that stole nearly $64,000.
Now the State Auditor's Office is reviewing the tolling system and its security.
WDOT's tolling system is run by Electronic Transaction Consultants Corporation (ETCC), which has been the center of a series of tolling-related problems, including billing issues in December, delays in launching tolls on the 520 bridge, and glitches involving tickets on the Tacoma Narrows bridge.
"It does call into question, of how safe [are] the credit card numbers at this point," Good to Go customer John Davis said.
"They're the state," Good to Go customer Jill Potter said, "and they're the government. So I would think it's somewhat inefficient and outdated."
Anitra Barquet, 35, took advantage of that system when ETCC hired her through a staffing agency to work at the Seattle Good to Go customer service center in September of 2013.
Little did people know when they were calling her for help, she was helping herself to their credit card numbers until October 2013.
Barquet used 13 customers' cards to buy items on Nordstrom's website. Then she returned the items to a Nordstrom store, getting cash or credit to her bank account.
Documents show she worked with other criminals and got credit card numbers from other jobsfrom a total of 68 victims.
According to the sentencing document for Barquet, she was found guilty of stealing at least $63,893 through her scheme. Prosecutors said the entire scheme with her co-conspirators caused an actual loss of approximately $160,000.WSDOT told KIRO 7 it asked the Secret Service for the exact amount Barquet charged to Good to Go customers' credit cards, but the Secret Service declined to provide the information.
The Secret Service investigated and notified WSDOT.
"It appears that her crimes exposed security flaws in the system," KIRO 7 said to Craig Stone, who was WSDOT's Assistant Secretary for Tolling at the time of the investigation. Records released via a public disclosure request show Stone sent emails to WSDOT employees about the fraud, including a chronology of the Secret Service investigation.
"So obviously she was able to get some information and exploit it," Stone said.
Stone said WSDOT sent a letter to 495 Good to Go customers whose accounts Barquet accessed as a matter of her daily work.
The letter said their payment card information was "exposed to an individual associated with an ongoing criminal investigation." The letter called it "an isolated incident limited to cards processed by a former contractor for ETCC."
"There's no way to know what that actually means, quite honestly," customer John Davis said, examining the letter.
It does not tell the customer how many people were affected or potentially affected. It also does not state that Barquet actually worked in a Good to Go customer service center at the time the events occurred.
"What has been changed that makes the system safer for Good to Go customers?" KIRO 7 asked Stone.
"Part of it is the training," Stone said. "[It's] making sure there are not devices and things of that nature that someone can quickly record a credit card number."
Stone said ETCC has improved how it monitors phone calls and supervises employees.
But WSDOT said according to federal law, ETCC's background check policy can only go back seven years, which just missed Barquet's two convictions for attempted theft and theft, in 2000 and 2006.
"Is WashDOT satisfied with the level of security that ETCC is providing here?" KIRO 7 asked.
"I think this is a continual process that we're working on," Stone said.
"This is a pattern," Senator Andy Hill said. "I have no faith they can fix it."
Hill has tracked problems with ETCC and sponsored a bill to reduce the number of toll lanes on 405. KIRO 7 showed him what it uncovered.
"I was shocked," he said. "I read through the document. This happened three years ago. This is the first I'd heard about it. I talked to the chair of the Transportation committee. It was the first he'd heard about it. I talked to two other members of the Transportation committee. First they had heard about it...this was something that was clearly swept under the rug."
WSDOT maintains it notified the chairs of both the Senate and House Transportation committees in 2014.
As for Barquet, she was sentenced to 18 months in prison in spring of 2015. But Hill and WSDOT are still waiting on the state audit of the tolling system, which noted in January 2015 as it prepared for the audit that ETCC still "has not yet demonstrated its full compliance" with security standards. The report was initially slated for release in fall of 2015; it has since been pushed back to March 2016 and now April 2016.
When KIRO 7 asked WSDOT if ETCC was in full compliance now, a spokesperson told KIRO 7 that "ETCC has contracted with a third-party Qualified Security Assessor (QSA) to complete a PCI DSS Record of Compliance (ROC). The assessment and formal ROC is on schedule to be completed in March. "
WSDOT issued a statement Thursday that said in part, "We take privacy and protection of customer information very seriously" and that " we worked with our vendor to ensure they have internal controls in place to prevent fraud and are continually working to stay up to date with industry best-practices and improve our protocols in order to be prepared for emerging identity theft tactics."
The department told KIRO 7 that if customers don’t want to use their credit cards account holders can always refill their accounts and pay tickets by cash at a walk-in customer service center. Customers can also pay through electronic bank transfer or by check. Checks are processed directly by US Bank.
Cox Media Group