VANCOUVER (NEWS 1130) — A Vancouver anti-violence group is out with a warning after a hack at TransLink earlier this week, telling women with abusive partners or exes to disable and replace their Compass cards.
In what was ultimately confirmed to be a ransomware attack, a number of services were taken offline by the transit provider this week. Minister George Heyman said Friday that until the investigation into the cyberattack has been completed, he’s not in a position to promise anyone that their information wasn’t accessed.
Battered Women’s Support Services has raised concerns in the past about the card’s capacity to track users’ movements by storing location-based data, and shared some advice Friday in light of the potential data breach.
“One of our volunteers who is an engineer reached out to us right away and said, ‘Since TransLink tracks location and activity through Compass cards this hack has potentially compromised data involving folks and where they go.’ So we’re quite concerned that women’s transit use and their locations can be sold or publicized,” explains Executive Director Angela Marie MacDougall.
“That is one of our biggest concerns so we wanted to get out in front of this today and use social media to let women who are worried about their information being compromised — anyone with a Compass card, frankly — should replace it as soon as possible and disable their card. It’s true we don’t have the whole picture of what data’s been compromised we want women to err on the side of prevention.”
The recent hack to @TransLink's operating system compromises women's safety & we are urging women to disable their compass cards & replace them once the issue has been resolved. Here’s some info regarding compass cards & safety >> https://t.co/B8A9oxi4ZZ pic.twitter.com/nBosonlc5k
— BWSS (@EndingViolence) December 5, 2020
MacDougall points out that women are at the greatest risk of lethal violence when they are leaving or have recently ended an abusive relationship.
“This could have very serious consequences if someone’s data and location information was sold or publicized.”
The way that abusive men track women’s movements is part of a pattern of power and control, according to MacDougall. Although, in theory, one’s Compass card login information isn’t shared, she notes there are many ways violent partners can access it.
“Abusive partners surveil. They want to know where a woman is and want to question her on her whereabouts throughout the day. It is a hallmark of abusive relationships isolation and control through surveillance,” MacDougall says.
“The Compass card system has provided another tool in the arsenal for abusers. An abusive partner will pressure a woman to give the login information so he can monitor her, and many folks are sharing cards, so that’s also a way an abusive partner will log on and gain information,” she explains, adding women are often under the financial control of their partners and may not have their own credit cards or spending money.
If a card is registered, every time it’s tapped the time and place is recorded and a list of trips can be accessed by logging in to an online account. If the card is not registered, this information isn’t accessible. However, simply deciding not to register the card may not be an option for women who are being coerced, controlled, or living with a persistent threat of violence.
TransLink spokesperson Ben Murphy says location and payment data are secure.
“TransLink does not store Compass fare payment data or personalized Compass travel history. We use a secure third-party payment processor for all fare transactions,” he writes in an email.