A Internet break-in in the Northeast has raised security concerns about electronic toll collection systems.
Still, officials said, the interloper got access only to one kind of personal information: data on when and where another user went through tollbooths.
Christopher D. Reagoso broke into someone else's e-mail at the New Jersey Turnpike Authority's account statement site for E-Z Pass, a service that lets motorists roll through tollbooths in that state and in Delaware, Maryland, Massachusetts, New York, Pennsylvania, and West Virginia without stopping.
E-ZPass provides a device about the size of a deck of cards to stick inside the windshield, and sets up accounts linked to credit or debit cards. Similar but incompatible systems are used in states including Florida, Oklahoma, Georgia, California, Texas, Illinois, and Kansas, as well as in Canada.
E-ZPass users receive itemized bills by mail or e-mail. Chase Manhattan Corp. is responsible for designing and running the New Jersey Turnpike Authority's e-mail and Web sites.
Late last month Mr. Reagoso, who gets his account statements by e-mail, found a way to hack into another user's E-ZPass statement on the New Jersey e-mail site.
Actually, "hack" overstates the computer expertise involved. Mr. Reagoso told The Record of Hackensack, N.J., that it takes just four accidental keystrokes to display anyone's statement.
He told authorities he was merely testing the system.
Mr. Reagoso was not charged with any offense, but the case prompted the Turnpike Authority, the lead agency in the multistate E-ZPass consortium, to close its own E-ZPass e-mail site temporarily and send all statements by regular mail for a few weeks.
Lynn Fleeger, a spokeswoman for the Turnpike Authority, said that 70,000 E-ZPass customers receive their bills by e-mail from the New Jersey site.
(Frank Pascual, a spokesman for the New York Metropolitan Transportation Authority's bridges and tunnels division, which has its own E-ZPass customer service centers, said it would not shut down its online statement service - even though it is similar to the one in New Jersey. "We're reviewing all of our safety procedures that are in place to protect our customer's confidentiality," he said.)
Spokespeople for the Turnpike Authority and Chase said that no personal data were revealed to Mr. Reagoso, because the e-mail site is separate from the Web site, which stores personal data, including addresses and credit cards.
Ms. Fleeger said that to get into that site Mr. Reagoso would have needed the other user's personal identification number.
"The customer account information, the personal information such as address and credit card, were not available," she said. "The only thing that was available was the travel pattern."
Mr. Reagoso "performed a service to us," Ms. Fleeger added. "He made us aware of a security problem we were not previously aware of." Chase regularly tests the Web site and the e-mail site and often hires people to attempt to hack into them, she said.
In a press release, Chase Manhattan said: "Chase has quickly resolved the security issue and reports that no sensitive information has been disclosed. The individual hacker did not gain access to any password, credit card, or other payment-related information. Chase responded immediately by shutting down the statement system, which is operated by a subcontractor to Chase, and we are currently taking steps to implement additional security features. We will test the system before resuming normal operations."
Calls to Mr. Reagoso's listed phone number were answered by a man who said no such person lived there.