The Transportation Security Administration (TSA) is attempting to provide some solace to current and former employees whose personal information is on a computer hard drive that was “discovered missing” late last week.
The TSA said it will give the employees free credit monitoring for up to one year, ID theft insurance up to US$25,000, fraud alerts and access to identity restoration specialists “who will complete paperwork and assist employees in the event they are a victim of identity theft.”
As of Tuesday morning, the TSA had not found the missing portable hard drive, which contains employment records of about 100,000 people who worked for the agency from January 2002 through August 2005.
A Criminal Matter
The external drive “was discovered missing from a controlled area at the TSA Headquarters Office of Human Capital” on May 3. The government said it doesn’t know if the device was stolen or just misplaced, but stressed it is not taking the matter lightly.
“The hard drive is missing, and in an abundance of caution, TSA is treating this as a criminal matter,” said the TSA. “The FBI and U.S. Secret Service are assisting in the forensic review of equipment and the facility.”
Extensive interviews were conducted throughout the weekend, noted the TSA, which added “measures are in place to alert TSA if someone attempts to use the hard drive.” So far that hasn’t happened, it said.
The drive contains personnel data including name, social security number, date of birth, payroll information, bank account and routing information. The TSA told its workers it was warning them “out of an abundance of caution at this early stage of the investigation given the significance of the information contained on the device.” The agency offered an apology and expressed deep regret.
However, the regret, it seems, has a time limit. The free identity theft protection and monitoring offer expires in a year.
TSA Insecurity
The larger question is what the incident could mean for national security and what it says about the general competence of the TSA.
“The agency has always lacked a level of credibility,” asserted Charles Slepian, the founder of the Foreseeable Risk Analysis Center (FRAC). “It’s not very efficient. It’s fragmented. The home office is always in turmoil.”
The TSA, part of the Department of Homeland Security, is inept, Slepian has long complained. The missing hard drive incident was hardly unexpected, he told TechNewsWorld.
“I see something like this and I just kind of shrug,” said Slepian. “It doesn’t shock me anymore. The TSA was antiquated before it ever got up and running. This is just an example of why.”
‘Quickly and Thoughtfully’
The TSA defended its decision to wait until Friday to announce the drive’s disappearance. “TSA acted quickly and thoughtfully to first gather all the facts and take the steps necessary to ensure the hard drive was not simply misplaced,” it explained. It is reviewing its policies and procedures “to prevent future occurrences” and insisted it “is committed to maintaining the privacy of employee information and takes many precautions for the security of personal information,” the TSA stated.
That statement doesn’t ring true to Michael Boyd, president of aviation industry adviser firm The Boyd Group. “The TSA is so bad at keeping things,” Boyd told TechNewsWorld. “They lost this drive — that’s real security — and they can’t account for thousands of TSA identification badges and thousands of missing uniforms around the country. The one thing the TSA is not good at is security.”
Flawed by Design?
Boyd hopes the missing drive doesn’t contain anything more than employee records. “The TSA spokespeople are not particularly honest,” he asserted. “They’re not going to admit it if more nationally important data was on there.”
The TSA’s assurances are not comforting, noted Slepian, whose company focuses on preventing such incidents. “I can’t answer as to how something like that can be lost, but it’s lost,” he said. “Whole computers have been lost (by the government) in the past. A lot has to do with the way they hire and appoint management people over there. It always seems to be some kind of a political appointment as opposed to a security appointment. The credentials … seem to be unrelated to the job that needs to be done. So, this kind of thing doesn’t surprise me.”