Airline travelers were exposed to identity theft by a U.S. government web site meant to help them remove their names from a security no-fly list, according to a new report.
Large amounts of personal information submitted by 247 people could have been easily seen by hackers between October 2006 and February 2007, a U.S. oversight committee said Friday.
The problems were corrected last February and the site is now secure on a domain hosted by the Department of Homeland Security. At the time of the fix, the TSA contacted all people who may have been affected.
Officials at the Transportation Security Administration, which commissioned the site, have not sanctioned the company contracted to make the site or the government employee in charge of the project, the report stated.
The report by the U.S. House of Representatives Committee on Oversight and Government said there were several other lapses by the TSA.
Among the findings: the website was contracted without competition under rules meant to exclude any other contractor; the TSA official in charge was a former employee of the contractor; the TSA did not discover the security weaknesses for months; and the TSA did not provide sufficient oversight of the website and the contractor.
The problems with the website created by Desyne Web Services were that it was initially not hosted on a government domain, its homepage was not encrypted; one of its data submission pages was not encrypted and its encrypted pages were not properly certified.
The Technical Lead designated by the TSA was Nicholas Panuzio, director of the Claims Management Office. The Committee said that Panuzio had a conflict of interest since he was friends with Desyne's owner. The conflict of interest had been disclosed to the TSA Office of Chief Counsel but Panuzio did not inform the project manager or the lead contracting officer on the project.
On the Web:
Committee document -
TSA redress site -
Desyne's site -