TSA Site Left Passenger Data Exposed To ID Theft

Poor design, inadequate oversight, led to information breach

by Martin H. Bosworth
ConsumerAffairs.com

January 14, 2008

• RFID Eyed as Anti-Shoplifting Tool
• Internet Providers Admit to Monitoring Customers' Web Surfing
• Big Brother Hitching A Ride in California?
• GAO: Government Can Do More to Protect Personal Data
• US Search Agrees to Stop Selling Private Credit Data
• TSA Site Left Passenger Data Exposed To ID Theft
• Connecticut Governor Wants 'Opt Out' For Online Directories
• Verizon Gave Customer Data To Government Without Court Orders
• House Democrats Probe Warrantless Surveillance
---
• More Privacy News ...

It's a turn of events that Franz Kafka would have to admire.

A site designed for the Transportation Security Administration (TSA) to help airline passengers remove their names from terrorist watch lists was so poorly constructed and lacking security that users of the site may be at risk for identity theft.

House Democrat Henry Waxman (D-CA), chairman of the Committee on Oversight and Government Reform, blasted the TSA and a small Virginia Web services company called Desyne for launching a Web site that "violated basic operating standards of web security and failed to protect travelers' sensitive personal information."

The 12-page report from Waxman's office found that "these security breaches can be traced to TSA's poor acquisition practices, conflicts of interest, and inadequate oversight."

According to the report, the "Traveler Redress" Website was farmed out to Desyne in a no-bid contract with no other competition. Desyne's cozy relationship with the TSA could be traced back to Nicholas Panunzio, the head of the project, who knew Desyne's CEO for many years and and was a former Desyne employee himself.

TSA investigators also failed to oversee the project adequately enough to catch conflicts of interest such as Panunzio's.

Unsecured sites

The Web site itself was not hosted on a government domain (i.e. ".gov,"), but on a commercial Web domain operated by Desyne. Many of the pages designed to submit sensitive personal information were not encrypted, and even pages with secure socket layer (SSL) encryption were not certified as actually being secure. In one case, Desyne signed its own security certificate for the page.

These vulnerabilities could have enabled hackers to access the information without the user -- or the site owners -- being aware of it.

The site's vulnerabilities were first discovered by University of Indiana student Chris Soghoian, a blogger who had earlier gained a measure of notoriety for creating an online "boarding pass generator" that could generate fake boarding passes. Soghoian claimed to have created the generator to demonstrate how easily the TSA's security procedures could be circumvented.

Although the "Traveler Redress" site was redirected to a subdomain of TSA not long after the problems were exposed, neither Desyne or Panunzio were disciplined or penalized for the problems.

Desyne has received $500,000 worth of no-bid contracts from TSA and the Department of Homeland Security, and an internal investigation of Panunzio found no wrongdoing on his part, since he did not personally profit from the contract, investigators said.

Insecure flights

The Desyne scandal is only the latest in a long string of security mishaps that have plagued TSA in recent years.

Its "terrorist watch lists" have been roundly criticized for adding thousands of names based on dubious criteria.

Removing oneself from a terrorist watch list is an onerous procedure, involving sending copious amounts of personal information to the TSA to prove one's identity. Security analysts have criticized the lists as a placebo measure that don't actually make it easier to track terrorists.

The TSA had initially hired another contractor to collect data on millions of Americans as part of a study for its ill-fated "Secure Flight" program. The Government Accountability Office (GAO) reported that the data collection took place in violation of the Privacy Act and was done without public knowledge.

The "Secure Flight" program, created to match passenger names to "watch lists," was eventually grounded after four years and $150 million spent, due to numerous security and planning problems in the project.

TSA has also violated individual privacy by accident on several occasions. The agency lost a hard drive containing the personal information of 100,000 TSA employees in May 2006. Another contractor for TSA, Accenture, mixed up personal documents for 1,200 employees, sending them to the wrong addresses in September 2006.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

Share		Follow us on Twitter.

FREE CONSUMER NEWSLETTERS
The Daily Consumer Afternoons M-F Sign up now!	Consumer News & Alerts Every Sunday Sign up now!

CONSUMER NEWS

SAFETY RECALLS

Evenflo First Choice Car Seats

Three Sisters Baby Hammocks

MOST-VIEWED PAGES

NEW COMPLAINTS

Back to the top |

Custom Search

AUTOMOTIVE
• Dealers
• Manufacturers
• Service
• Extended Warranties
• Lemon Laws
• Recalls
• Tires
• Transporters

FAMILY
• Aging
• Children, Parenting
• Recalls
• Dating
• Education
• Entertainment
• Pets
• Weddings

FINANCE
• Annuities
• Banks
• Credit Cards
• Debt Collection
• Debt Counseling
• Insurance
• Investing
• Loans
• Mortgages
• Payday Loans
• Student Loans
• Tax Prep

HEALTH
• Doctors
• Drugs, Pharmacies
• Health Clubs
• Hearing Care
• Hospitals
• Nursing Homes
• Nutrition, Diets
• Vision Care
• Weight Loss

HOUSE & HOME
• Appliances
• Cookware
• Furniture
• Home Improvements
• Lawn & Garden
• Movers
• Pools & Spas
• Realtors, Rental Agents
• Recalls
• Utilities

ELECTRONICS
• Cable TV/DBS
• Cameras
• Cell Phones
• Computers
• Home Electronics
• Internet Access
• Local Phone Service
• Long Distance
• VoIP

SHOPPING
• In-Home
• Online
• Retail Stores
• Sporting Goods
• Supermarkets
• Telemarketers

TRAVEL
• Airlines
• Bus Lines
• Car Rental
• Cruises
• Hotels
• Travel Agents
• Trains

RESOURCES
• Class Actions
• Complaint Form
• Small Claims Guide
• Lemon Laws

CONSUMER NEWS
• Latest News
• Automotive
• Telecom
• Financial
• Health
• Homeowners
• Scams
• Seniors
• Travel
• More ...

RECALLS
• Automotive
• Children's Products
• Drugs
• Food
• Household Products
• Sporting Goods

ABOUT US
• FAQ
• Privacy Policy
• Advertise With Us
• Newsroom
• Syndication
• Terms of Use

Terms of Use Your use of this site constitutes acceptance of the Terms of Use

Advertisements on this site are placed and controlled by outside advertising networks. ConsumerAffairs.com does not evaluate or endorse the products and services advertised. See the FAQ for more information.

Company Response Welcome If complaints about your company appear on our site, we welcome your response. Please see the Response Form for more information.

For more information, see the FAQ and privacy policy. The information on this Web site is general in nature and is not intended as a substitute for competent legal advice. ConsumerAffairs.com Inc. makes no representation as to the accuracy of the information herein provided and assumes no liability for any damages or loss arising from the use thereof.