Alternate Title: Information Security Breach at TSA: The Traveler Redress Website, United States House of Representatives, Committee on Oversight and Government Reform, Majority Staff, January 2008
"In October 2006, the Transportation Security Administration launched a website to help travelers whose names were erroneously listed on airline watch lists. This redress website had multiple security vulnerabilities: it was not hosted on a government domain; its homepage was not encrypted; one of its data submission pages was not encrypted; and its encrypted pages were not properly certified. These deficiencies exposed thousands of American travelers to potential identity theft. After an internet blogger identified these security vulnerabilities in February 2007, the website was taken offline and replaced by a website hosted on a Department of Homeland Security domain. At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a website that violated basic operating standards of web security and failed to protect travelers' sensitive personal information. As this report describes, these security breaches can be traced to TSA's poor acquisition practices, conflicts of interest, and inadequate oversight." The report finds the following: 1. TSA awarded the website contract without competition. 2. The TSA official in charge of the project was a former employee of the contractor. 3. TSA did not detect the website's security weaknesses for months. 4. TSA did not provide sufficient oversight of the website and the contractor.