http://www.fiercegovernmentit.com/story/faa-registry-pilots-data-risk-data-breach/2013-07-03
By David Perera
FierceGovernmentIT
July 3, 2013
Personally identifiable information kept within the Federal Aviation
Administration's Civil Aviation Registry is at risk for breach, says the
Transportation Department office of inspector general.
For a June 27 report (.pdf), auditors examined the registry's system
configuration and account management, finding that they don't adequately
protect pilots' information, which includes particularly sensitive
elements such as their Social Security numbers and medical information.
The registry isn't encrypted, and doesn't require multifactor
authentication for registry users to log on to the system. FAA officials
told auditors that they use digital signatures to authenticate users, but
auditors say they found that not to be the case. There are more than
38,000 registry users who aren't FAA employees, but the agency "only
sporadically validates" user accounts and doesn't routinely monitor who's
accessing sensitive registry data.
The agency doesn't have in place agreements with third parties that
receive registry information to ensure they, in turn, safeguard the
personally identifiable information, auditors say.
[...]
--
Visit the new and improved InfoSec News website
http://www.infosecnews.org/
