CONSUMER NEWS RECALLS COMPLAINT FORM SCAM ALERTS

Small Claims Guide \| Class Actions \| Lemon Law \| FAQ \| Resources \| Newsletters \| Spanish
Automotive Education Electronics Family Finance Health Homeowners Shopping Travel

TSA Site Left Passenger Data Exposed To ID Theft

Poor design, inadequate oversight, led to information breach

by Martin H. Bosworth
ConsumerAffairs.com

January 14, 2008

• TSA Site Left Passenger Data Exposed To ID Theft
• Connecticut Governor Wants 'Opt Out' For Online Directories
• Verizon Gave Customer Data To Government Without Court Orders
• House Democrats Probe Warrantless Surveillance
• Many Facebook Users Compromise Own Identities
• Spy Court Tells White House To Fess Up
• FBI Uses Data Brokers, "Risk Scores" To Hunt Terrorists
• GAO: "Critical" Weaknesses In FBI Security Network
• How Safe Is That Free Wi-Fi Connection?
• Businesses Back Off Spy Chips
• Insurer Unlawfully Poached Consumers' Credit Reports
• GAO Cites Medical Privacy Issues
• Google Anti-Phishing Feature Accidentally Reveals Too Much
• Bush Spy Program Placed Under Court Review
• "National Security Letters" Used To Examine Americans' Financial Records
• Bush Gives Himself Authority to Search the Mail
• Court Shuts Down "Media Motor" Spyware Operation
• Consumerists Want FTC Probe of Online Advertising
• Firefox/Google Team Up To Fight Phishing
• Schwarzenegger Terminates Spychip Bill
• For Sale: Your Health Care Records
• Xanga.com Fined for Children's Privacy Violations
• Facebook Does an About Face
• Chase Trashes Tapes Containing Circuit City Customers' Data
---
• More Privacy News ...

It's a turn of events that Franz Kafka would have to admire.

A site designed for the Transportation Security Administration (TSA) to help airline passengers remove their names from terrorist watch lists was so poorly constructed and lacking security that users of the site may be at risk for identity theft.

House Democrat Henry Waxman (D-CA), chairman of the Committee on Oversight and Government Reform, blasted the TSA and a small Virginia Web services company called Desyne for launching a Web site that "violated basic operating standards of web security and failed to protect travelers' sensitive personal information."

The 12-page report from Waxman's office found that "these security breaches can be traced to TSA's poor acquisition practices, conflicts of interest, and inadequate oversight."

According to the report, the "Traveler Redress" Website was farmed out to Desyne in a no-bid contract with no other competition. Desyne's cozy relationship with the TSA could be traced back to Nicholas Panunzio, the head of the project, who knew Desyne's CEO for many years and and was a former Desyne employee himself.

TSA investigators also failed to oversee the project adequately enough to catch conflicts of interest such as Panunzio's.

Unsecured sites

The Web site itself was not hosted on a government domain (i.e. ".gov,"), but on a commercial Web domain operated by Desyne. Many of the pages designed to submit sensitive personal information were not encrypted, and even pages with secure socket layer (SSL) encryption were not certified as actually being secure. In one case, Desyne signed its own security certificate for the page.

These vulnerabilities could have enabled hackers to access the information without the user -- or the site owners -- being aware of it.

The site's vulnerabilities were first discovered by University of Indiana student Chris Soghoian, a blogger who had earlier gained a measure of notoriety for creating an online "boarding pass generator" that could generate fake boarding passes. Soghoian claimed to have created the generator to demonstrate how easily the TSA's security procedures could be circumvented.

Although the "Traveler Redress" site was redirected to a subdomain of TSA not long after the problems were exposed, neither Desyne or Panunzio were disciplined or penalized for the problems.

Desyne has received $500,000 worth of no-bid contracts from TSA and the Department of Homeland Security, and an internal investigation of Panunzio found no wrongdoing on his part, since he did not personally profit from the contract, investigators said.

Insecure flights

The Desyne scandal is only the latest in a long string of security mishaps that have plagued TSA in recent years.

Its "terrorist watch lists" have been roundly criticized for adding thousands of names based on dubious criteria.

Removing oneself from a terrorist watch list is an onerous procedure, involving sending copious amounts of personal information to the TSA to prove one's identity. Security analysts have criticized the lists as a placebo measure that don't actually make it easier to track terrorists.

The TSA had initially hired another contractor to collect data on millions of Americans as part of a study for its ill-fated "Secure Flight" program. The Government Accountability Office (GAO) reported that the data collection took place in violation of the Privacy Act and was done without public knowledge.

The "Secure Flight" program, created to match passenger names to "watch lists," was eventually grounded after four years and $150 million spent, due to numerous security and planning problems in the project.

TSA has also violated individual privacy by accident on several occasions. The agency lost a hard drive containing the personal information of 100,000 TSA employees in May 2006. Another contractor for TSA, Accenture, mixed up personal documents for 1,200 employees, sending them to the wrong addresses in September 2006.

Report Your Experience
If you've had a bad experience -- or a good one -- with a consumer product or service, we'd like to hear about it. All complaints are reviewed by class action attorneys and are considered for publication on our site. Knowledge is power! Help spread the word. File your consumer report now.

May 17 2008

READER SERVICES

Print, Email & More

Free consumer newsletters
Sign up now!

Back to the top |

Terms of Use Your use of this site constitutes acceptance of the Terms of Use

Advertisements on this site are placed and controlled by outside advertising networks. ConsumerAffairs.com does not evaluate or endorse the products and services advertised. See the FAQ for more information.

Company Response Welcome If complaints about your company appear on our site, we welcome your response. Please see the Response Form for more information.

For more information, see the FAQ and privacy policy. The information on this Web site is general in nature and is not intended as a substitute for competent legal advice. ConsumerAffairs.com Inc. makes no representation as to the accuracy of the information herein provided and assumes no liability for any damages or loss arising from the use thereof.