[ISN] Missing TSA computer drive not protected

From: InfoSec News (alerts@private)
Date: Mon Jul 16 2007 - 22:40:41 PDT


http://www.mercurynews.com/politics/ci_6388676

By TED BRIDIS
Associated Press Writer
07/16/2007

WASHINGTON -- The Transportation Security Administration did not follow 
White House instructions to protect sensitive information on a computer 
hard drive containing bank and payroll data for 100,000 employees that 
was discovered missing, the agency acknowledged to Congress.

Authorities realized in May the storage device, an external hard drive, 
was missing from TSA headquarters. In a letter to Rep. Ed Markey, 
D-Mass., the agency said the drive contained historical payroll data, 
Social Security numbers, dates of birth, addresses, time and leave data, 
bank account and routing information, and details about financial 
allotments and deductions.

The TSA said it was still conducting an administrative review of the 
loss but already had disciplined some employees. It did not provide 
details. The agency earlier said it would fire anyone discovered to have 
violated the agency's data-protection policies.

The information on the missing drive was not protected with encryption 
or any electronic security technology, the TSA said. However, the White 
House Office of Management and Budget last summer ordered all sensitive 
data encrypted on laptops or portable devicesincluding handheld 
devicesif they were carried outside secure areas.

The lack of any encryption means any computer user who connects the 
drive to a laptop or desktop PC can view all the information without any 
special software tools.

"TSA dropped the ball when they chose to ignore recommendations set 
forth by OMB to encrypt sensitive information," said Rep. Bennie 
Thompson, D-Miss., the chairman of the Homeland Security Committee. 
"This is not a technological problem but a management one."

The TSA said its Office of Inspection is investigating the missing hard 
drive with help from the FBI and Secret Service, but it remains unclear 
whether the drive was lost or stolen. There have been no reports of 
fraudulent credit activity involving employees whose information was 
vulnerable, the agency said.

The TSA said roughly 27,000 employees signed up for one year of 
credit-monitoring services it agreed to pay for.

The TSA wrote earlier this month to Markey, a member of the Homeland 
Security Committee, and the letter was obtained Monday by The Associated 
Press.

Copyright 2007 San Jose Mercury News


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jul 16 2007 - 22:49:39 PDT