By TED BRIDIS
Associated Press Writer
WASHINGTON -- The Transportation Security Administration did not follow
White House instructions to protect sensitive information on a computer
hard drive containing bank and payroll data for 100,000 employees that
was discovered missing, the agency acknowledged to Congress.
Authorities realized in May the storage device, an external hard drive,
was missing from TSA headquarters. In a letter to Rep. Ed Markey,
D-Mass., the agency said the drive contained historical payroll data,
Social Security numbers, dates of birth, addresses, time and leave data,
bank account and routing information, and details about financial
allotments and deductions.
The TSA said it was still conducting an administrative review of the
loss but already had disciplined some employees. It did not provide
details. The agency earlier said it would fire anyone discovered to have
violated the agency's data-protection policies.
The information on the missing drive was not protected with encryption
or any electronic security technology, the TSA said. However, the White
House Office of Management and Budget last summer ordered all sensitive
data encrypted on laptops or portable devicesincluding handheld
devicesif they were carried outside secure areas.
The lack of any encryption means any computer user who connects the
drive to a laptop or desktop PC can view all the information without any
special software tools.
"TSA dropped the ball when they chose to ignore recommendations set
forth by OMB to encrypt sensitive information," said Rep. Bennie
Thompson, D-Miss., the chairman of the Homeland Security Committee.
"This is not a technological problem but a management one."
The TSA said its Office of Inspection is investigating the missing hard
drive with help from the FBI and Secret Service, but it remains unclear
whether the drive was lost or stolen. There have been no reports of
fraudulent credit activity involving employees whose information was
vulnerable, the agency said.
The TSA said roughly 27,000 employees signed up for one year of
credit-monitoring services it agreed to pay for.
The TSA wrote earlier this month to Markey, a member of the Homeland
Security Committee, and the letter was obtained Monday by The Associated
Copyright 2007 San Jose Mercury News
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com