TSA suffers data loss; lawmakers watch closely

The Transportation Security Administration is investigating the possible loss or theft of an external hard drive that contained the payroll data of about 100,000 current and former employees, including their Social Security numbers and bank account and routing information. The records affect individuals employed by TSA from January 2002 until August 2005, the agency of the Homeland Security Department said in a statement.

The hard drive was discovered missing from a controlled area at the TSA headquarters’ Office of Human Capital in Arlington, Va.

“It is unclear at this stage whether the device is still within headquarters or was stolen,” said TSA Administrator Kip Hawley in a May 4 letter to affected employees.

Although TSA is responsible for security across the transportation sector, there were gaps at home, said Rep. Tom Davis (R-Va.), ranking member of the House Oversight and Government Reform Committee.

“As we debate DHS' role regarding cybersecurity, it appears the agency wasn't watching the threats at home,” he said.
TSA’s data loss comes on the heels of a data security and notification bill that Davis introduced last week.

The Federal Agency Data Breach Protection Act directs the Office of Management and Budget to establish standards and practices for informing citizens of lost data and provides a clear definition of the type of sensitive information for which the law would apply. It also gives agency chief information officers authority to ensure employees comply with data security laws.

“My bill would help before and after: It requires that equipment containing potentially sensitive information be accounted for and secure, and it requires citizens receive prompt notice if personal information held by a federal agency is compromised,” Davis said.

Agencies began to further tighten security last year after the theft of a laptop computer containing personal data on millions of veterans from the home of a Veterans Affairs Department employee.

In the most recently reported data breach last month, the Agriculture Department became aware it had inadvertently made public the Social Security numbers of 38,700 grant and loan recipients through the Federal Assistance Awards Data System. The numbers were part of a 15-digit string that acted as a loan recipient’s federal award number.

The House Homeland Security Committee is watching closely how TSA’s investigation unfolds. “My concern lies with the tens of thousands of employees who are affected,” said committee Chairman Bennie Thompson (D-Miss.). “For an agency suffering from morale problems, this is a terrible and unfortunate blow.”

Rep. Sheila Jackson Lee (D-Texas), chairwoman of the committee’s Transportation Security and Infrastructure Protection Subcommittee, plans to conduct hearings on the incident, said Dena Graziano, committee spokeswoman.

TSA will provide the affected employees with identity theft protection and credit monitoring for one year, as necessary. Hawley apologized in the letter for the incident. TSA said it has extensive data protections protocols and training in place for its employees regarding data privacy. TSA said it will take swift disciplinary action, including dismissal, against individuals found to be in violation of its procedures.

TSA immediately reported the incident to senior DHS and law enforcement officials when it became apparent May 3 and launched an investigation. TSA is treating the incident as a criminal matter and asked the FBI to investigate. The Secret Service is also assisting in the forensic review of equipment and facilities.