The Transportation Security Administration (TSA) is in hot water again for losing sensitive data, and this time around it has national security implications: Two laptops were reportedly stolen from a TSA contractor that contained personal information about commercial drivers who transport hazardous materials across the U.S.
TSA reportedly revealed the theft in an October 12 letter to lawmakers. The computers, which are those of TSA contractor Integrated Biometric Technology for the TSA's Hazardous Materials Endorsement Threat Assessment program -- which gathers security-clearance information on hazmat drivers -- include personal data such as names, addresses, birthdates, commercial driver's license numbers, and some Social Security numbers of nearly 4,000 people, according to an AP report.
After the theft, TSA reportedly ordered the contractor to encrypt all hard drives for the program. "But it's embarrassing that the agency we go to do deal with security threats waited until after these disasters to deploy basic measures," says Paul Kocher, president and chief scientist of Cryptography Research. "There seems to be a priority problem in the TSA... [it's not just about] empty toothpaste tubes."
Details about the actual theft are sketchy so far, with Integrated Biometric Technology first reporting data had been deleted from the laptops prior to the theft, but later it was discovered that the data hadn't been properly wiped from the drives after all.
"So far, the circumstances are sort of suspicious," says Richard Stiennon, chief marketing officer for Fortinet. "There was one computer, and 'we erased the data,' there were two computers, and 'oops, the data wasn't erased well.' There's a lot more on the backend of the story."
The TSA in May announced that an external hard drive containing personnel data on 100,000 TSA employees -- including name, Social Security number, date of birth, payroll information, and bank account/routing information -- was missing from a controlled area at the TSA Headquarters Office of Human Capital. The data included records of TSA employees from January 2002 until August 2005. (See TSA Loses 100,000 Employee Records.)
The obvious irony of a contractor that specializes in background security checks leaving data unprotected, and the Department of Homeland Security agency leaving itself wide open to terrorism and a targeted attack, was unnerving to security experts.
"In a way, we use the TSA as the frontline in the battle against physical terrorism. And it wouldn't be surprising for terror cells to start targeting the TSA because it left itself so vulnerable and open by not following best practices in encrypting data and good deletion [procedures]," Stiennon says. "It shows that they don't understand the sort of battle they are up against."
Even more chilling is that now the bad guys have information on the location of the drivers who transport hazardous materials, he notes.
The bottom line is that encrypting laptops and hard drives is basically a no-brainer today. "There's no excuse why this stuff shouldn't be encrypted," Cryptography Research's Kocher says. "There are free programs that do it, and each version of Windows from XP on supports laptop encryption, and it's [built into] Vista."
Integrated Biometric Technology will provide one year of free credit-monitoring services to the people whose identities were exposed. TSA was not available for comment.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.