In October 2006, the Transportation Security Administration launched a Web site to help travelers whose names were erroneously listed on airline watch lists. According to reports, this redress Web site had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft. After an Internet blogger identified these security vulnerabilities in February 2007, the Web site was taken offline and replaced by a Web site hosted on a Department of Homeland Security domain.
At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a Web site that violated basic operating standards of Web security and failed to protect travelers' sensitive personal information. As this report describes, these security breaches can be traced to TSA's poor acquisition practices, conflicts of interest, and inadequate oversight.
The report finds:
- TSA awarded the Web site contract without competition. TSA gave a Virginia-based contractor called Desyne Web Services a no-bid contract to design and operate the redress Web site. According to an internal TSA investigation, the "Statement of Work" for the contract was "written such that Desyne Web was the only vendor that could meet program requirements."
- The TSA official in charge of the project was a former employee of the contractor. The TSA official who was the "Technical Lead" on the Web site project and acted as the point of contact with the contractor had an apparent conflict of interest. He was a former employee of Desyne Web Services and regularly socialized with Desyne's owner.
- TSA did not detect the Web site's security weaknesses for months. The redress Web site was launched on October 6, 2006, and was not taken down until after February 13, 2007, when an Internet blogger exposed the security vulnerabilities. During this period, TSA Administrator Hawley testified before Congress that the agency had assured "the privacy of users and the security of the system" before its launch. Thousands of individuals used the insecure Web site, including at least 247 travelers who submitted large amounts of personal information through an insecure Webpage.
- TSA did not provide sufficient oversight of the Web site and the contractor. The internal TSA investigation found that there were problems with the "planning, development, and operation" of the Web site and that the program managers were "overly reliant on contractors for information technology expertise" and had failed to properly oversee the contractor, which as a result, "made TSA vulnerable to non-performance and poor quality work by the contractor."
