Passport snooping raises alarm

Lawmakers consider whether additional legislation is needed to safeguard data

Inside State's passport database

Passport files, including those of the three leading presidential candidates that officials announced March 20 had been breached, are stored in the State Department’s Passport Information Electronic Retrieval System. The database contains no travel or entry and exit information, but it does contain personal data that applicants submit when applying for a passport. That information includes:

  • Name.

  • Sex.

  • Date and place of birth.

  • Social Security number.

  • Marital status.

  • Mailing address.

In rare cases, such as suspected fraud, the Office of Passports also retains medical, financial and arrest records.

— Ben Bain

The revelations that three contractors and a State Department employee snooped into the passport files of the presidential candidates prompted new calls from lawmakers for more federal regulations centered on data security breaches.

Meanwhile, officials say unauthorized access to private or classified information is a significant and recurring problem.

Thieves stole a laptop computer containing information on clinical trial participants from the trunk of a National Institutes of Health employee’s car in February.

The Veterans Affairs Department, Agriculture Department and other federal agencies have also reported security incidents involving data loss.

At the State Department, an automated system detected the unauthorized passport file access, but senior officials said they learned of the incidents only when a reporter called to inquire.

State officials said that “imprudent curiosity” caused the security incidents.

Anyone gaining access to passport records who did not have a need to do so would violate the 1974 Privacy Act. Personal information stored in federal databases is protected under that law.

The department uses a need-to-know standard in determining whether someone is authorized to view personal information, said Patrick Kennedy, undersecretary for management. However, some lawmakers argue that might not be sufficient.

Lawmakers on the Senate Judiciary Committee are pressing Senate leaders to take up legislation that would tighten oversight of government contractors who handle personal information and strengthen requirements for reporting data breaches.

Currently, Office of Management and Budget policy requires agencies to report all incidents that potentially involve personally identifiable information to the Homeland Security Department’s U.S.

Computer Emergency Readiness Team within an hour of discovery. Also, a May 2007 memo from OMB requires agencies to create policies on data breaches and identify corrective actions.

According to OMB’s 2007 report to Congress on implementing the Federal Information Security Management Act, USCERT received more than seven times the number of “unauthorized access” cybersecurity incident reports in fiscal 2007 than it did in fiscal 2005. Reports categorized as “improper usage” quintupled during that same time period. Both spikes are credited to increases in reports for incidents where personally identifiable information potentially had been revealed. Overall, security incidents reported to US-CERT more than tripled during that three-year span.

“A week does not go by without reports of personal data privacy breaches,” Sens. Patrick Leahy (D-Vt.) and Arlen Specter (RPa.) wrote March 25 in a letter to Senate leaders urging passage of their legislation, the Personal Data Privacy and Security Act. “The legislation would provide protections for consumers, including a requirement for timely notification of data security breaches,” they wrote. The bill would require that government contractors safeguard sensitive personal data, such as the passport information that workers improperly viewed.

About 40 states have data breach notification laws on the books, said Lisa Sotto, head of the privacy and information management practice at law firm Hunton and Williams and an expert on privacy and data security. In the private sector, the culprits behind unauthorized data access are often those who have some degree of legitimate access, as was the case at State, Sotto said.

“I think it’s fair to say that employees are always curious,” Sotto added. “A very significant number of data breaches are committed by employees, contractors and third-party vendors, and that makes sense because they have authorized access to systems but not necessarily authorized access to certain data, or they simply ought to not be looking at certain data. ”

The passport file doesn’t record travel information. However, it does store personal information that people submit when they apply for a passport. Federal agencies that have agreements with the State Department can access the datatabase. In addition, Interpol and some foreign governments have data-sharing arrangements that allow for automated checking of lost, stolen or otherwise invalid passport records.

Sean McCormack, a State spokesman, said the breach’s discovery showed that the department’s detection system worked.

However, the discovery should have been passed on to the department’s top officials immediately, he added.

Two of the fired employees were subcontractors to Stanley. Stanley officials said the company fired the workers the day the unauthorized search occurred. The company said it plans to fully comply with any government investigation.

The way the incident was handled was probably typical, said Jonathan Aronie, an attorney at law firm Sheppard Mullin and a Federal Computer Week columnist. Prime contractors usually handle conduct issues involving subcontractors.

Stanley has received several contracts to process passport applications. The company oversees passport printing, quality control and mailing operations at 18 processing sites nationwide. In the Office of Passport Services, government employees are solely responsible for adjudicating passport applications, while contractors perform many associated duties, including customer service, data entry, and printing and mailing of travel documents.

As contractors play a larger role in the federal government, Office of Federal Procurement Policy guidelines for determining which government tasks cannot be performed by contractors are expected to spur continuing debate in Congress.  

About the Author

Ben Bain is a reporter for Federal Computer Week.

The 2015 Federal 100

Meet 100 women and men who are doing great things in federal IT.

Featured

  • Shutterstock image (by venimo): e-learning concept image, digital content and online webinar icons.

    Can MOOCs make the grade for federal training?

    Massive open online courses can offer specialized IT instruction on a flexible schedule and on the cheap. That may not always mesh with government's preference for structure and certification, however.

  • Shutterstock image (by edel): graduation cap and diploma.

    Cybersecurity: 6 schools with the right stuff

    The federal government craves more cybersecurity professionals. These six schools are helping meet that demand.

  • Rick Holgate

    Holgate to depart ATF

    Former ACT president will take a job with Gartner, follow his spouse to Vienna, Austria.

  • Are VA techies slacking off on Yammer?

    A new IG report cites security and productivity concerns associated with employees' use of the popular online collaboration tool.

  • Shutterstock image: digital fingerprint, cyber crime.

    Exclusive: The OPM breach details you haven't seen

    An official timeline of the Office of Personnel Management breach obtained by FCW pinpoints the hackers’ calibrated extraction of data, and the government's step-by-step response.

  • Stephen Warren

    Deputy CIO Warren exits VA

    The onetime acting CIO at Veterans Affairs will be taking over CIO duties at the Office of the Comptroller of the Currency.

  • Shutterstock image: monitoring factors of healthcare.

    DOD awards massive health records contract

    Leidos, Accenture and Cerner pull off an unexpected win of the multi-billion-dollar Defense Healthcare Management System Modernization contract, beating out the presumptive health-records leader.

  • Sweating the OPM data breach -- Illustration by Dragutin Cvijanovic

    Sweating the stolen data

    Millions of background-check records were compromised, OPM now says. Here's the jaw-dropping range of personal data that was exposed.

  • FCW magazine

    Let's talk about Alliant 2

    The General Services Administration is going to great lengths to gather feedback on its IT services GWAC. Will it make for a better acquisition vehicle?

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above