By Lisa Vaas
October 16, 2007
All data must be encrypted, the TSA orders, after the loss of laptops
holding hazmat driver data.
Following the loss and possible theft of two laptops containing the
personal data of 3,930 truckers who handle hazardous materials, the
Transportation Security Administration has mandated that contractors
must encrypt any and all data on top of any deletion policies they have
According to a letter the TSA sent to lawmakers on Oct. 12, the laptops
- both of which belonged to a TSA contractor - contain names, addresses,
birthdays, commercial driver's license numbers and, in some instances,
Social Security numbers of the affected truckers.
First, one laptop was lost. At that time, the contractor, L-1 Identity
Solutions' Integrated Biometric Technology division, told the TSA that
the truckers' information had been deleted from the system, TSA Public
Affairs Manager Ann Davis told eWEEK.
Then, another laptop disappeared. After the second theft or loss, the
TSA conducted an IT forensic investigation that ascertained that the
deleted information could be retrieved if a thief had the proper
"So even though [there's only a] small chance of [the data being
misused], we did notify all affected individuals and advised them of
what steps to take to protect themselves, and we mandated that
contractors need to encrypt any and all data in addition to any deletion
procedures that might be in place," Davis said.
The TSA requires that all individuals who transport hazardous waste
provide information for a security clearance in a program called the
Hazardous Materials Endorsement Threat Assessment that's mandated under
the Patriot Act.
This isn't the first time the TSA has found itself in data-breach hot
water, and it isn't the agency's biggest data breach, by a long shot. On
May 7, the agency announced that a hard drive containing personal
information belonging to 100,000 government workers had been lost.
The TSA is also requiring Integrated Biometric Technology to provide
free credit reporting to the affected individuals.
L-1 Identity Solutions couldn't immediately provide a spokesperson to
give information to eWEEK on the incident.
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com