A Congressional report released on Friday says the Transportation Security Administration's (TSA) Web site to redress people mistakenly placed on airline antiterrorism watch lists was riddled with security vulnerabilities.
According to a statement released by Chairman Henry Waxman of the House Committee on Oversight and Government Reform:
"This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified.
These vulnerabilities, reports Computerworld.com, exposed thousands on the list to identify theft.
The Web site was activated in October 2006. Travelers seeking redress from the government on the watch-list entries were required to provide a wide range of information via the Web site, including their passport details, Social Security number, birth date and place of birth, as well as their height, weight and other personal data.
Waxman's statement said the "security breaches can be traced to TSA’s poor acquisition practices, conflicts of interest, and inadequate oversight."
TSA awarded the contract to Desyne Web Services, a small Virginia-based contractor, which the report says did not have the necessary capacity to perform the contract's requirments and was awarded it without competition. TSA's technical lead on the project had a major conflict-of-interest as he was also a former employee of Desyne and regularly socialized with its owner, the report states.
Aside from poor acquisition practices and the conflict of interest, TSA was also criticized for poor oversight of the Web site. It took TSA more than four months to discover that the Web site was plagued with security vulnerabilities. The report says the Web site's security problems weren't detected because "the program managers were 'overly reliant on contractors for information technology expertise' and had failed to properly oversee the contractor, which as a result, 'made TSA vulnerable to non-performance and poor quality work by the contractor.'”
Despite Desyne's mistakes, the TSA has not sanctioned the contractor and still allows it to operate TSA Web sites. Desyne has received more than $500,000 in TSA contracts since 2004, reports PC World.