WASHINGTON D.C. The growing use of telematics for both gathering truck performance data and for sending and receiving shipping documents also exposes trucking to a new form of crime called “e-hijacking.”
At a special trucking safety and security seminar hosted by law firm Patton Boggs LLP here in the nation’s capital, Stephen Spoonamore, CEO of data security consulting firm Cybrinth, gave examples of recent e-hijacking events to illustrate why data security in trucking needs tightening.
He pointed to the supposed loss of 3.9-million banking records stored on computer backup tapes that were being shipped by UPS from New York-based Citigroup to an Experian credit bureau in Texas. “These tapes were not lost – they were stolen,” Spoonamore said. “Not only were they stolen, the theft occurred by altering the electronic manifest in transit so it would be delivered right to the thieves.” He added that UPS, Citigroup, and Experian spent four days blaming each other for losing the shipment before realizing it had actually been stolen.
Spoonamore, a veteran of the intelligence community, said in his analysis of this e-hijacking, upwards of 15 to 20 people needed to be involved to hack five different computer systems simultaneously to breach the electronic safeguards on the electronic manifest. The manifest was reset from “secure” to “standard” while in transit, so it could be delivered without the required three signatures, he said. Afterward the manifest was put back to “secure” and three signatures were uploaded into the system to appear as if proper procedures had been followed.
“What’s important to remember here is that there is no such thing as ‘security’ in the data world: all data systems can and will be breached,” Spoonamore said. “What you can have, however, is data custody so you know at all times who has it, if they are supposed to have it, and what they are doing with it. Custody is what begets data security.”
Another case involved a fleet of 350 trucks shipping hazardous materials using telematics to download and track vehicle operating data in real-time – monitoring engine speed, hard braking events, etc.
Spoonamore said the data streams coming from those vehicles only used a basic level of encryption – codes broken by what he called an “enterprising” local law firm that proceeded to download four months of operating data on each truck – especially the actual road speed of each truck over that period, down to the decimal point. The law firm then sued the trucking company for speeding violations, using the carrier’s own telematics data against it.
“[Telematics] can tell you at 2 a.m. precisely where your truck is – but do you know where your data is at that time? That’s why you can’t totally trust your computer anymore,” Spoonamore cautioned.