Why is it important to consider data and cybersecurity issues in Mobility-as-a-Service projects?
Mobility as a Service (MaaS) integrates various forms of transport and transport related services into a single on-demand application used to plan journeys and to book and pay for various transport options.
MaaS or Transportation-as-a-Service (TaaS) is set to change conventional mobility with the MaaS/TaaS market rapidly developing across the UK. Local initiatives across the UK have already proven its viability, and it is projected that the global MaaS market will be worth $271.66 billion by 2027. Following the overall decline in public transport use during and post-pandemic, local authorities and transport bodies are keen to increase usage, improve service performance all whilst offering savings in a cost of living crisis.
In order to do this, authorities need a large amount of data from users in order to drive efficiencies and service optimisation, which comes with a number of key risks, examined further below.
Data and privacy
MaaS is focused on providing modern transport services which meet people's needs including improving the use of public transport with flexible payment services and personalised real-time travel information. The use of personal data is therefore essential to the functionality of MaaS.
MaaS applications can be used to collect, use and process a huge amount of a user's personal data. The categories of personal data typically shared might include:
- Personal details: phone number, name, e-mail address, address, language, photo, driver's license details;
- Location data: the start and end time and location of travel, travel method, favourite places on maps, routes, calendar data;
- Payment details: payment information, records of any purchases; and/or
- Other non-identifiable information: IP address, access times, browser, or application type, downloads, and other on app interactions.
The data shared might also include special categories of personal data or "sensitive" data. For instance, a user's location data could be categorised as "sensitive" as MaaS applications collect information relating to visits to receive medical care, attend political organisations, or religious activities including the start, duration, and end of visit. Aspects of this data is useful for authorities to examine in order to direct public spend in the areas that are needed, but given its value to the private sector in order to build customer profiles, as well as cybercriminals, authorities need to ensure this is managed in the correct manner. Lessons learnt from other private travel apps which are widely used across the UK and indeed globally provide some interesting pointers.
It is vital for MaaS applications and providers to ensure that adequate data protection measures and risk focused controls on personal data are in place to help ensure security of data, which needs to be considered at the outset of each project, and throughout its lifecycle.
MaaS providers, transport operators, payment services and end users rely on secure infrastructure to process and transmit data via the MaaS application, such as software systems, mobile apps, cloud services, and AI-based analytics services. As a result the use of data can be far reaching and complex, posing a heightened data and cybersecurity risk.
If a cyber-security attack was able to bring a MaaS system down, this would have the ultimate result of preventing use of public transport via that system, hindering workers getting to work (including key workers) or tourists paying visits, and ultimately detracting from the economy.
Cybersecurity and data protection is therefore a priority for any MaaS project as any vulnerability could be exploited to disrupt multiple providers and users of an entire MaaS network, leading to serious consequences including reputational and financial losses.
As consumers become more aware and security conscious of their personal data and digital footprint, organisations trying to implement MaaS must put data and cybersecurity at the top of its priority list. Without user buy-in, MaaS cannot be an ultimate success.
Should you have any queries relating to privacy and cybersecurity issues or would like to understand how we may be able to handle potential risks from our particular experience of MaaS Projects, please do not hesitate to reach out to us.