Fliers' Data Left Exposed, Report Says
Saturday, January 12, 2008
A government Web site designed to help travelers remove their names from aviation watch lists was so riddled with security holes that hackers could easily have stolen personal information from scores of passengers, a congressional report concluded yesterday.
Thousands of people used the Web site, and as many as 247 submitted detailed personal information between October 2006 and last February, the report says. A spokesman for the Transportation Security Administration, which established the site, said the agency was not aware of any travelers who used the site and became victims of identity theft.
Congressional investigators raised concerns about a conflict of interest in how the no-bid contract to create the Web site was awarded. The TSA employee who framed many of the contract's requirements and was in charge of overseeing the site was once employed by the firm that was awarded the contract -- Desyne Web Services, a small firm in Boston, Va. -- and socialized with members of the company, according to the report by the Democratic staff of the House Oversight and Government Reform Committee.
The TSA continues to use Desyne on various projects, the report said, and has awarded the company no-bid contracts worth about $500,000.
The report also found that the TSA conducted little oversight of the Web site.
"It is mindboggling that TSA would launch a Web site with so many security vulnerabilities," Rep. Henry A. Waxman (D-Calif.), chairman of the committee, said in a statement. "The handling of this Web site goes against all good government contracting standards, reveals serious flaws in oversight, and potentially exposed travelers to identity theft."
Telephone messages left at Desyne were not returned yesterday. A TSA official said that the issues raised by the report were "old news" and that the problems had been addressed. "Things could and should have been done differently," said Christopher White, a TSA spokesman. "We have learned from those issues."
The government provides airlines with security watch lists that give the names of suspected terrorists, fugitives and others considered a "threat to aviation."
The lists have been frequently criticized, particularly since the terrorist attacks of Sept. 11, 2001, heightened security concerns. Prominent Americans, including members of Congress, have been singled out for questioning and searches at airports because their names were similar to names on the lists.
TSA officials said they had taken steps to reduce the number of people whose names are on the no-fly list, who are not allowed to board planes. They took the same steps, they said, to reduce their "selectee" list. Passengers with names similar to those on the selectee list are subjected to extra screening and questioning at checkpoints.
The TSA created a redress procedure three years ago for innocent passengers ensnared by the lists. A flood of requests quickly swamped officials, and by 2006, the TSA began seeking bids from contractors to build, host and maintain "a secure Web-based system" to handle the requests, the committee report says.
TSA investigators later determined that the bid request was written in such a way that only one firm -- Desyne -- could win the contract, according to the report.