FAA registry of pilots' data at risk of data breach

[InfoSec News <alerts () infosecnews org>]

http://www.fiercegovernmentit.com/story/faa-registry-pilots-data-risk-data-breach/2013-07-03

By David Perera
FierceGovernmentIT
July 3, 2013

Personally identifiable information kept within the Federal Aviation 
Administration's Civil Aviation Registry is at risk for breach, says the 
Transportation Department office of inspector general.

For a June 27 report (.pdf), auditors examined the registry's system 
configuration and account management, finding that they don't adequately 
protect pilots' information, which includes particularly sensitive 
elements such as their Social Security numbers and medical information.

The registry isn't encrypted, and doesn't require multifactor 
authentication for registry users to log on to the system. FAA officials 
told auditors that they use digital signatures to authenticate users, but 
auditors say they found that not to be the case. There are more than 
38,000 registry users who aren't FAA employees, but the agency "only 
sporadically validates" user accounts and doesn't routinely monitor who's 
accessing sensitive registry data.

The agency doesn't have in place agreements with third parties that 
receive registry information to ensure they, in turn, safeguard the 
personally identifiable information, auditors say.

[...]



--
Visit the new and improved InfoSec News website
http://www.infosecnews.org/