Fliers' Data Left Exposed, Report Says

According to the report, the primary author of the contract's requirements was Nicholas Panuzio, a TSA official who also was assigned an oversight role of the Web site. Panuzio "had a prior relationship with Desyne" that included having worked for the company for eight months several years earlier, the report says.

Panuzio had also known the company's owner since high school and "still met regularly with Desyne's owner and others for drinks and dinner," according to the report.

Panuzio could not be reached for comment yesterday.

The report said Panuzio reported the conflict of interest to the agency's chief counsel but not to the project's managers. The report did not say when the disclosure was made, and a TSA spokesman was unable to pinpoint a time.

TSA officials said that Panuzio did not profit from the contract, which was valued at $48,816. "A thorough review determined that no disciplinary action was necessary," said White, the spokesman.

A few months after the site was launched, Chris Soghoian, a graduate student at Indiana University discovered that it was not secure.

Soghoian told investigators that the site's appearance "was so poor that he first suspected it was a 'phishing' site," or one set up by hackers to imitate official sites to lure people into giving personal information that could then be stolen, the report found.

Soghoian posted his concerns in February on a blog then picked up by news outlets, including a http://washingtonpost.com security blog. The TSA quickly moved the site to a more secure government domain, at https://trip.dhs.gov.