The Transportation Security Administration (TSA) said today that it is investigating a missing external hard drive containing sensitive information of about 100,000 employees.
The hard drive, discovered missing from a controlled area at the federal agency on Thursday, contained the names, Social Security numbers, birth dates, bank account and routing data and payroll information of employees who worked for the agency between January 2002 and August 2005, TSA administrator Kip Hawley said in a notification letter to victims. Authorities are unsure whether the data was lost or stolen.
Hawley apologized to employees whose identity was exposed, but said the TSA has no reason to believe any of the information has been misused. Still, the agency promised to provide affected individuals with one year of free credit monitoring service.
"We are notifying you out of an abundance of caution at this early stage of the investigation given the significance of the information contained on the device," Hawley said. "We apologize that your information may be subject to unauthorized access, and I deeply regret this incident."
The FBI and U.S. Secret Service have opened criminal investigations, according to a separate statement.
The TSA said it has comprehensive data security policies in place and violators face "swift disciplinary action," including firing.
This is the second time in less than a year that the agency responsible for securing the nation’s airports was involved in a data breach.
Last September, a contractor accidentally mailed about 1,200 documents containing Social Security numbers of former TSA employees to incorrect addresses.
"It’s kind of ironic that the government agency charged with maintaining the security of our nation’s transportation system can’t manage the security of its own employees’ files," said Paul Stephens, policy analyst at the nonprofit Privacy Rights Clearinghouse. "It’s a matter of having the proper protocols in place and enforcing them. A lot of times the protocols exist, and you don’t have the compliance. Typically, the failure is employee compliance."
The latest incident occurred just days after Rep. Tom Davis, R.-Va., reintroduced a bill that would require federal agencies who suffered a data breach to promptly notify victims, and have proper policies in place.
Click here to email reporter Dan Kaplan.