The Transportation Security Administration’s traveler redress website—which was launched to give travelers a way to get their names removed from the government’s toddler-centric no fly list—operated for months without proper security in place, leaving citizens who submitted detailed personal information to it wide open to identity theft. Gee, we’re this close to thinking that the TSA is run by a bunch of grotesquely incompetent, slug-like bureaucrats.
From Ars Technica:
The web site was hosted on a commercial domain by a contractor and did not use SSL encryption for submission forms that transmit sensitive identification information. The few pages of the site that did use SSL used an expired certificate that had been self-signed by the contractor.
The problems with the site and its development were made public on Friday in a report published by the House Oversight and Government Reform Committee, which said,
the TSA was completely unaware of the security issues while the site was in operation. During that time, thousands of travelers submitted personal information through the website and a TSA administrator claimed in congressional testimony that the agency had assured “the privacy of users and the security of the system.”
Even worse, the site was awarded through a no-bid contract to Desyne, a web marketing firm in Virginia run by a high-school buddy of the TSA employee in charge of the site.
As of now, fortunately, there’s no indication that any data was stolen during the four-month-long gap in security.
“TSA security flaws exposed users to risk of identity theft” [Ars Technica]