By Daniel Pulliam
dpulliam [at] govexec.com
August 10, 2006
The Transportation Department inspector general's office removed the
encryption on a laptop containing the personal information of 133,000
Florida residents about two weeks before it was stolen late last month
from a government-owned Chevrolet Blazer parked outside a Miami area
Acting Transportation Department Inspector General Todd Zinser said
Wednesday that the data is routinely encrypted but it was removed as part
of software upgrades, despite an Office of Management and Budget request
 for all government mobile computer devices containing sensitive
information to be encrypted.
The laptop is a Dell Latitude model and is believed to contain four
databases with the names, Social Security numbers, dates of birth and
addresses of 42,792 Florida pilots, 80,667 Miami-Dade County commercial
driver's license holders, 9,005 individuals who obtained their personal
driver's licenses in the Tampa area and another 491 drivers who obtained
their commercial driver's license in the Tampa area.
The IG office stated the computer is password protected, but experts say
that a computer with only a routine system password could be easily
accessed by someone interested in misusing identities for credit theft
In an Aug. 9 letter  to members of Congress, Zinser said he did not
learn of the July 27 theft until July 31 and he did not learn of the
presence of the databases containing sensitive information until Aug. 5.
An instruction sheet  given to all IG office employees to whom laptops
are assigned states that all data is supposed to be saved in an encrypted
David Barnes, a spokesman for the IG office, said the office maintains its
own IT operations that mirror the policies established by the department's
chief information officer.
Chris Fedde, senior vice president and general manager of SafeNet's
enterprise security division, said a common way to protect sensitive data
is to encrypt the entire hard drive, but a drawback is that when you have
to do repairs or install new software, you have to decrypt it.
"Normally that's a tightly controlled process," Fedde said. "I bet [the IG
office] has a new policy by now."
Special agents in the IG's Miami office were using the databases as part
of a multi-agency task force working to identify the use of fraudulent
information to obtain driver's licenses or flying certificates. Past use
of this type of data has led to guilty pleas in licensing fraud cases, the
IG office said in a statement.
The IG office stated that it does not believe thieves targeted the laptop
because of the information it contained. A full-scale effort is being
undertaken to recover the laptop, Zinser said.
On June 23, OMB Deputy Director for Management Clay Johnson signed a
memorandum  urging, but not requiring, agencies to encrypt data on
remote computer devices holding sensitive information, among other things.
The request came in the wake of a series of data breaches involving
sensitive information, namely the early May theft of Veterans Affairs
Department computer equipment containing the personal information of 26.5
Johnson said in the memo that most agencies already take this precaution,
but Alan Paller, director of research at the SANS Institute in Bethesda,
Md., a nonprofit cybersecurity research organization, said policies do not
To ensure that every security policy is constantly followed, agencies need
to implement automated monitoring systems, Paller said. Such systems
could, for instance, check machines for compliance every time they are
connected to the agency's network, he said.
Visit the InfoSec News store!