Passport snooping raises alarm

Lawmakers consider whether additional legislation is needed to safeguard data

Inside State's passport database

Passport files, including those of the three leading presidential candidates that officials announced March 20 had been breached, are stored in the State Department’s Passport Information Electronic Retrieval System. The database contains no travel or entry and exit information, but it does contain personal data that applicants submit when applying for a passport. That information includes:

  • Name.

  • Sex.

  • Date and place of birth.

  • Social Security number.

  • Marital status.

  • Mailing address.

In rare cases, such as suspected fraud, the Office of Passports also retains medical, financial and arrest records.

— Ben Bain

The revelations that three contractors and a State Department employee snooped into the passport files of the presidential candidates prompted new calls from lawmakers for more federal regulations centered on data security breaches.

Meanwhile, officials say unauthorized access to private or classified information is a significant and recurring problem.

Thieves stole a laptop computer containing information on clinical trial participants from the trunk of a National Institutes of Health employee’s car in February.

The Veterans Affairs Department, Agriculture Department and other federal agencies have also reported security incidents involving data loss.

At the State Department, an automated system detected the unauthorized passport file access, but senior officials said they learned of the incidents only when a reporter called to inquire.

State officials said that “imprudent curiosity” caused the security incidents.

Anyone gaining access to passport records who did not have a need to do so would violate the 1974 Privacy Act. Personal information stored in federal databases is protected under that law.

The department uses a need-to-know standard in determining whether someone is authorized to view personal information, said Patrick Kennedy, undersecretary for management. However, some lawmakers argue that might not be sufficient.

Lawmakers on the Senate Judiciary Committee are pressing Senate leaders to take up legislation that would tighten oversight of government contractors who handle personal information and strengthen requirements for reporting data breaches.

Currently, Office of Management and Budget policy requires agencies to report all incidents that potentially involve personally identifiable information to the Homeland Security Department’s U.S.

Computer Emergency Readiness Team within an hour of discovery. Also, a May 2007 memo from OMB requires agencies to create policies on data breaches and identify corrective actions.

According to OMB’s 2007 report to Congress on implementing the Federal Information Security Management Act, USCERT received more than seven times the number of “unauthorized access” cybersecurity incident reports in fiscal 2007 than it did in fiscal 2005. Reports categorized as “improper usage” quintupled during that same time period. Both spikes are credited to increases in reports for incidents where personally identifiable information potentially had been revealed. Overall, security incidents reported to US-CERT more than tripled during that three-year span.

“A week does not go by without reports of personal data privacy breaches,” Sens. Patrick Leahy (D-Vt.) and Arlen Specter (RPa.) wrote March 25 in a letter to Senate leaders urging passage of their legislation, the Personal Data Privacy and Security Act. “The legislation would provide protections for consumers, including a requirement for timely notification of data security breaches,” they wrote. The bill would require that government contractors safeguard sensitive personal data, such as the passport information that workers improperly viewed.

About 40 states have data breach notification laws on the books, said Lisa Sotto, head of the privacy and information management practice at law firm Hunton and Williams and an expert on privacy and data security. In the private sector, the culprits behind unauthorized data access are often those who have some degree of legitimate access, as was the case at State, Sotto said.

“I think it’s fair to say that employees are always curious,” Sotto added. “A very significant number of data breaches are committed by employees, contractors and third-party vendors, and that makes sense because they have authorized access to systems but not necessarily authorized access to certain data, or they simply ought to not be looking at certain data. ”

The passport file doesn’t record travel information. However, it does store personal information that people submit when they apply for a passport. Federal agencies that have agreements with the State Department can access the datatabase. In addition, Interpol and some foreign governments have data-sharing arrangements that allow for automated checking of lost, stolen or otherwise invalid passport records.

Sean McCormack, a State spokesman, said the breach’s discovery showed that the department’s detection system worked.

However, the discovery should have been passed on to the department’s top officials immediately, he added.

Two of the fired employees were subcontractors to Stanley. Stanley officials said the company fired the workers the day the unauthorized search occurred. The company said it plans to fully comply with any government investigation.

The way the incident was handled was probably typical, said Jonathan Aronie, an attorney at law firm Sheppard Mullin and a Federal Computer Week columnist. Prime contractors usually handle conduct issues involving subcontractors.

Stanley has received several contracts to process passport applications. The company oversees passport printing, quality control and mailing operations at 18 processing sites nationwide. In the Office of Passport Services, government employees are solely responsible for adjudicating passport applications, while contractors perform many associated duties, including customer service, data entry, and printing and mailing of travel documents.

As contractors play a larger role in the federal government, Office of Federal Procurement Policy guidelines for determining which government tasks cannot be performed by contractors are expected to spur continuing debate in Congress.  

About the Author

Ben Bain is a reporter for Federal Computer Week.

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • Social network, census

    5 predictions for federal IT in 2017

    As the Trump team takes control, here's what the tech community can expect.

  • Rep. Gerald Connolly

    Connolly warns on workforce changes

    The ranking member of the House Oversight Committee's Government Operations panel warns that Congress will look to legislate changes to the federal workforce.

  • President Donald J. Trump delivers his inaugural address

    How will Trump lead on tech?

    The businessman turned reality star turned U.S. president clearly has mastered Twitter, but what will his administration mean for broader technology issues?

  • Login.gov moving ahead

    The bid to establish a single login for accessing government services is moving again on the last full day of the Obama presidency.

  • Shutterstock image (by Jirsak): customer care, relationship management, and leadership concept.

    Obama wraps up security clearance reforms

    In a last-minute executive order, President Obama institutes structural reforms to the security clearance process designed to create a more unified system across government agencies.

  • Shutterstock image: breached lock.

    What cyber can learn from counterterrorism

    The U.S. has to look at its experience in developing post-9/11 counterterrorism policies to inform efforts to formalize cybersecurity policies, says a senior official.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group