A Congressional committee has slammed the Transportation Security Administration
(TSA) for giving a no-bid contract to a website developer that failed to implement cybersecurity procedures to protect the personal information of travelers.
U.S. Rep. Henry Waxman, D-Calif., chairman of the House Oversight Committee, released a report this week disclosing that the TSA's redress website had numerous security vulnerabilities, was not on a government domain and did not encrypt information.
The committee also discovered that the website, designed to help passengers erroneously listed on airline watch lists, featured data-submission pages that were not encrypted, while the encrypted pages it did have were not properly certified.
The redress site, launched on Oct. 6, 2006, and taken down last Feb. 13, was designed by Desyne Web Services, a Virginia-based contractor selected because TSA's April 2006 request for quote was designed so that only Desyne could meet the requirements, according to the committee's report.
About 250 travelers submitted their personal information to the site during the four-month period.
A representative of Desyne could not be reached for comment.
The TSA is a division of the U.S. Department of Homeland Security (DHS), which received a D grade
for its most recent Federal Information Security and Management Act of 2002
The committee credited Chris Soghoian, a doctorate student at the University of Indiana's School of Informatics, with disclosing the site's security weaknesses on his “Slight Paranoia” blog
Soghoian said then that he initially believed the redress page was a phishing website.
After the security weaknesses were disclosed, the TSA moved the website to a secure DHS domain and contacted affected users. The agency did not, according to the committee, sanction Desyne for poor performance.
Soghoian, now a blogger for CNET.com, said today
that the FBI conducted a 2 a.m. raid of his house after he demonstrated the ease in which passengers could create fake boarding passes. The TSA also investigated the blogger for a half-year and threatened him with fines of thousands of dollars, he said.
“I discovered the initial security flaws in TSA's redress website, and the congressional investigation is a direct result of a blog post that I wrote in February 2007. I'd be lying if I said that I wasn't grinning from ear to ear with the news of this report,” he said. “It's poetic justice, if you will, for the unpleasantness that TSA put me through.”
The incident is not the first embarrassing information security situation for the TSA. Last October, the personal information of nearly 4,000 people, including commercial truck drivers who transport hazardous materials, were on two laptops stolen from a third-party contractor
working with the TSA.
Five months earlier, a federal employee union filed suit against the agency
over the loss of a hard drive containing the personal information of 100,000 workers.