AUSTIN (KXAN) — When Sandra Cates logged into her TxTag account to talk with a customer service representative via its online chat feature, she had no idea another customer using the same system would see the lengthy conversation.
The Texas Department of Transportation, which operates TxTag, says it appears it was an “isolated incident.”
Still, during her online chat on Oct. 29, Cates shared her address, TxTag account number and the answer to one of her security questions with the customer service representative. All of that information was shared with a separate user looking to chat with TxTag customer service about his own account.
“The security questions are the same throughout multiple applications, so if you already had my address, and my name and my answers to my security questions, you could potentially use that information, in a different account,” Cates told KXAN.
She had no clue her information was shared with the other customer until KXAN reached out to inform her. We found out from a viewer who emailed us with his concerns.
“I have just finished using the TxTag chat service to get a question answered, but what is concerning is that when I went into the chat function, I could see the whole exchange that TxTag had with another customer,” the concerned viewer told KXAN.
The customer saved a copy of the chat in hopes of informing Cates her information had been “exposed.” KXAN tracked down the customer to let her know.
Last month, KXAN reached out to TxDOT asking how the mistake occurred and how many customers have experienced similar problems. We also wanted to know what security measures are in place to make sure customer service resources are secure.
“Based on the limited information we have been provided, it appears this was an isolated incident,” a TxDOT spokesperson said in a statement. “We regret any inconvenience this incident may have caused our customer and we always encourage any of our customers to reach out to us with any questions or concerns.”
The customer said TxDOT didn’t contact her until last Friday, despite knowing about the error for two weeks.
“(They) didn’t really provide any sort of explanation,” Cates said. “Just said I’m sure you’re aware that your account was compromised, what do you want to do?”
Cates said TxDOT offered to either change her security questions or to move her information over to a new TxTag account. She took that second option.
Still, she said TxDOT didn’t explain what procedures are placed to make sure it doesn’t happen again to her, or anyone else.
“When I asked what was the problem, what happened, and they just said it was an ‘operator error,’” Cates said. “It was very nonchalant. … No more elaboration, no assurances that this won’t happen again.”
For now, Cates said she doesn’t plan to use the TxTag customer service online chat feature, and will opt to pick up the phone.
As of 3:30 p.m. Tuesday, TxTag’s online chat system was unavailable.
In addition to sending questions to TxDOT on Nov. 29, inquiring about the chat mixup, KXAN asked about the results of a security risk assessment of the TxTag systems that was conducted after the state hired a third-party to review it. TxDOT has not responded to those questions.
The security concern was just the latest issue KXAN has reported on in recent years. Last fall, KXAN launched an investigation into the state’s toll road system, which revealed the state agency sent 2.2 million debtor accounts to collections in 2017. Some of those customers owed thousands of dollars in late fees alone and others claimed their bills were sent to the wrong address.
TxDOT ultimately waived $1.3 billion in late fees after a new law capping late fees for certain toll users earlier this year.
A whistleblower also alerted us to security concerns at Conduent, the company TxTag contacts with to handle toll road operations and customer service. And, over the summer, our investigation helped spark calls for a federal probe into whether that company should be held accountable for accusations it inaccurately billed customers toll charges, late fees, and penalties.
TxTag drivers can reach out to KXAN with their concerns by contacting us at ReportIt@kxan.com.