FAA registry of pilots' data at risk of data breach

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.fiercegovernmentit.com/story/faa-registry-pilots-data-risk-data-breach/2013-07-03

By David Perera
FierceGovernmentIT
July 3, 2013

Personally identifiable information kept within the Federal Aviation 
Administration's Civil Aviation Registry is at risk for breach, says the 
Transportation Department office of inspector general.

For a June 27 report (.pdf), auditors examined the registry's system 
configuration and account management, finding that they don't adequately 
protect pilots' information, which includes particularly sensitive 
elements such as their Social Security numbers and medical information.

The registry isn't encrypted, and doesn't require multifactor 
authentication for registry users to log on to the system. FAA officials 
told auditors that they use digital signatures to authenticate users, but 
auditors say they found that not to be the case. There are more than 
38,000 registry users who aren't FAA employees, but the agency "only 
sporadically validates" user accounts and doesn't routinely monitor who's 
accessing sensitive registry data.

The agency doesn't have in place agreements with third parties that 
receive registry information to ensure they, in turn, safeguard the 
personally identifiable information, auditors say.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.