A congressional report issued last week outlined the failure of the Transportation Security Administration to secure a special Web site designed to help travelers whose names appeared erroneously on the airline watch lists. It turns out to be a situation that wreaks of multiple ethical lapses that ultimately put sensitive information at risk. Though the Web site was taken down and hosted on Department of Homeland Security servers, what is most interesting is how the site was initially contracted out to a third party to build and manage. Here’s a situation where a government site was to host potentially sensitive information. But the contract was awarded without competition with specifications drafted so only one Web design company (Desyne Web Services) could qualify for the job. To make matters worse, the job of oversight at TSA was conducted by a former employee of Desyne, Nicholas Panuzio, according to the report.
Information being hosted and transmitted via the site included Social Security numbers, telephone numbers, addresses, birth dates and birth place. The site was launched on October 6, 2006, and was not taken down until a blogger, Chris Soghoian of the University of Indiana, discovered the vulnerabilities after February 13, 2007. The site wasn’t encrypted, it wasn’t hosted at a government domain and transactions weren’t conducted securely. Chris writes about the incident at his Cnet blog.
What is even more galling is that Desyne wasn’t sanctioned for poor performance and to date has received almost $500,000 worth of no-bid contracts to provide Web services to TSA and DHS. Also, no disciplinary action was taken against Panuzio, since he didn’t personally benefit financially from the contract.
In a time when the nation is so sensitive about security lapses and protecting critical data, reports like this only highlights how slow and ineffective the government is at securing its systems and protecting an individual’s information. This may have not been the nation’s most guarded secrets, but nonetheless it still is sensitive information tied to U.S. citizens that could be used fraudulently by cybercriminals and even more frightening, a terrorist organization.