A government Web site meant to aid travelers in removing their names from the Do Not Fly list inadvertently exposed thousands of personal data files to malicious hackers, according to a congressional report released on Friday.
The House Committee on Oversight and Government Reform released areport on Friday that detailed serious flaws in the architecture — and development — of theTransportation Security Administration’s site. Virginia-basedDesyne Web Services was given a no-bid contract to build the site in part because the TSA official in charge of the project was a former Desyne employee, the report states.
Lack of Common Sense
While the committee takes the TSA to task for failing to comply with government guidelines, the inability to implement basic security measures is more alarming, according to Lee McKnight, an associate professor of information studies at Syracuse University.
“You don’t leave databases of personally identifiable information where they are easy to access,” McKnight told TechNewsWorld. “This should be Fort Knox. That information needs to be locked far away.”
The Organization for Economic Co-operation and Development (OECD), an international group with more than 100 member countries, has been working onsecurity guidelines for two decades. It has a working security document, including nine steps to ensure data privacy, that should be used by every group setting up a network, according to McKnight.
“There are very specific guidelines for security,” he emphasized. “They are common sense, and anyone should be embarrassed if they aren’t following these guidelines.”
Exposed by Student’s Blog
The guidelines were developed to help organizations ensure security, but the easiest way to keep information secure is to delete data that is no longer used, McKnight suggested. Data is oftentimes used for a specific one-time purpose. However, organizations will continue to store that information, creating a target for malicious hackers.
Even had these guidelines been followed, though, there was little follow-up on the site, the report points out. In fact, the TSA never discovered the flaws in its system.
The original site was launched in October 2006. Thousands of people submitted personal data, the report notes. However, nobody — including the TSA officials — realized that the security holes existed until Christopher Soghoian, a graduate student atIndiana University’s School of Informatics,blogged about the flaws. It was his blog that eventually led to the investigation.
Neither Desyne nor the official in charge of the project has been sanctioned, and Desyne still hosts two major TSA Web sites, according to the report.