By Fred J. Aun TechNewsWorld Part of the ECT News Network
05/08/07 10:54 AM PT
An external hard drive containing personal info on about 100,000 TSA current and former employees "was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital," the agency said. The Transportation Security Administration has promised to give a measure of free credit monitoring and ID theft insurance to those whose records were contained in the drive.
Increase Customer Sales with VerticalResponse Email Marketing! Quickly and easily send email newsletters, coupons & sales announcements to your customers – no technical expertise needed. Sign up for your Free Trial today and send 100 emails on us!
The Transportation Security Administration (TSA) is attempting to provide some solace to current and former employees whose personal information is on a computer hard drive that was "discovered missing" late last week.
The TSA said it will give the employees free credit monitoring for up to one year, ID theft insurance up to US$25,000, fraud alerts and access to identity restoration specialists "who will complete paperwork and assist employees in the event they are a victim of identity theft."
As of Tuesday morning, the TSA had not found the missing portable hard drive, which contains employment records of about 100,000 people who worked for the agency from January 2002 through August 2005.
A Criminal Matter
The external drive "was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital" on May 3. The government said it doesn't know if the device was stolen or just misplaced, but stressed it is not taking the matter lightly.
"The hard drive is missing, and in an abundance of caution, TSA is treating this as a criminal matter," said the TSA. "The FBI and U.S. Secret Service are assisting in the forensic review of equipment and the facility."
Extensive interviews were conducted throughout the weekend, noted the TSA, which added "measures are in place to alert TSA if someone attempts to use the hard drive." So far that hasn't happened, it said.
The drive contains personnel data including name, social security number, date of birth, payroll information, bank account and routing information. The TSA told its workers it was warning them "out of an abundance of caution at this early stage of the investigation given the significance of the information contained on the device." The agency offered an apology and expressed deep regret.
However, the regret, it seems, has a time limit. The free identity theft protection and monitoring offer expires in a year.
TSA Insecurity
The larger question is what the incident could mean for national security and what it says about the general competence of the TSA.
"The agency has always lacked a level of credibility," asserted Charles Slepian, the founder of the Foreseeable Risk Analysis Center (FRAC). "It's not very efficient. It's fragmented. The home office is always in turmoil."
The TSA, part of the Department of Homeland Security, is inept, Slepian has long complained. The missing hard drive incident was hardly unexpected, he told TechNewsWorld.
"I see something like this and I just kind of shrug," said Slepian. "It doesn't shock me anymore. The TSA was antiquated before it ever got up and running. This is just an example of why."
'Quickly and Thoughtfully'
The TSA defended its decision to wait until Friday to announce the drive's disappearance. "TSA acted quickly and thoughtfully to first gather all the facts and take the steps necessary to ensure the hard drive was not simply misplaced," it explained. It is reviewing its policies and procedures "to prevent future occurrences" and insisted it "is committed to maintaining the privacy of employee information and takes many precautions for the security of personal information," the TSA stated.
That statement doesn't ring true to Michael Boyd, president of aviation industry adviser firm The Boyd Group. "The TSA is so bad at keeping things," Boyd told TechNewsWorld. "They lost this drive -- that's real security -- and they can't account for thousands of TSA identification badges and thousands of missing uniforms around the country. The one thing the TSA is not good at is security."
Flawed by Design?
Boyd hopes the missing drive doesn't contain anything more than employee records. "The TSA spokespeople are not particularly honest," he asserted. "They're not going to admit it if more nationally important data was on there."
The TSA's assurances are not comforting, noted Slepian, whose company focuses on preventing such incidents. "I can't answer as to how something like that can be lost, but it's lost," he said. "Whole computers have been lost (by the government) in the past. A lot has to do with the way they hire and appoint management people over there. It always seems to be some kind of a political appointment as opposed to a security appointment. The credentials ... seem to be unrelated to the job that needs to be done. So, this kind of thing doesn't surprise me."
PowerBroker for Linux: Managing Access One Task at a Time May 08, 2007
The latest version of Symark PowerBroker allows administrative tasks such as managing system programs, performing backups and adding new users to be delegated to individuals or groups at a granular level. The program also protects the root account, which is the most targeted user account, from both external and internal threats.
Related Stories
What's Eskimo for Security? May 03, 2007
Reducing costs and staying competitive is more important to the typical business executive than information security, and not addressing these concerns is the cause of many failures. These real concerns seem to occupy most of the attention of management, and rightly so. After attending a few information security trade shows, you might be inclined to discount most of the vendor pitches as little more than hyperbole.
The Truth About Open Source Security April 26, 2007
Is it better to run your company's firewall or IDS using an open source tool, or is it better to buy something off the shelf? Let's step through some of the most common arguments used by each side of the open source security debate and see how they do or do not stand up in the light of practical reality.
McAfee CSO Martin Carmichael: When Security and Business Lock Horns April 24, 2007
"CSOs need to demonstrate an ROI from the security operations, not just offer opinions about blue or yellow security factors," said McAfee Chief Security Officer Martin Carmichael. "They need to tell that story in business terms. This is not done easily. CSOs must communicate in the language of business, not technology."
Related News Alerts
More by Fred J. Aun
Intel Feels Fury of OLPC Scorned January 09, 2008
"Over the entire six months it was a member of the association, Intel contributed nothing of value to OLPC," said OLPC. "Intel never contributed in any way to our engineering efforts and failed to provide even a single line of code to the XO software efforts even though Intel marketed its products as being able to run the XO software."
Yahoo Pumps Up Mobile Effort in Bid to Get a Jump on Google January 08, 2008
"Yahoo's ultimate goal is to bring the best possible Internet experience to the billions of mobile consumers around the globe," said Marco Boerries, executive vice president of Yahoo's Connected Life division. "We believe that to succeed on such a scale, the best strategy is to open up our mobile platform in order to tap the innovation and talent of the world's developers and publishers."
Wikia's Search Philosophy: It Takes a Village to Challenge a Giant January 07, 2008
"What you see here is our first alpha release," says a greeting on the Wikia Search site. "We are aware that the quality of the search results is low. Of course, before we start, we have no user feedback data. So the results are pretty bad. But we expect them to improve rapidly in coming weeks, so please bookmark the site and return often."
Headline Feeds
Talkback: 
