Encryption taken off Transportation IG laptop shortly before theft

By Daniel Pulliam

August 10, 2006

The Transportation Department inspector general's office removed the encryption on a laptop containing the personal information of 133,000 Florida residents about two weeks before it was stolen late last month from a government-owned Chevrolet Blazer parked outside a Miami area cafeteria.

Acting Transportation Department Inspector General Todd Zinser said Wednesday that the data is routinely encrypted but it was removed as part of software upgrades, despite an Office of Management and Budget request for all government mobile computer devices containing sensitive information to be encrypted.

The laptop is a Dell Latitude model and is believed to contain four databases with the names, Social Security numbers, dates of birth and addresses of 42,792 Florida pilots, 80,667 Miami-Dade County commercial driver's license holders, 9,005 individuals who obtained their personal driver's licenses in the Tampa area and another 491 drivers who obtained their commercial driver's license in the Tampa area.

The IG office stated the computer is password protected, but experts say that a computer with only a routine system password could be easily accessed by someone interested in misusing identities for credit theft purposes.

In an Aug. 9 letter to members of Congress, Zinser said he did not learn of the July 27 theft until July 31 and he did not learn of the presence of the databases containing sensitive information until Aug. 5.

An instruction sheet given to all IG office employees to whom laptops are assigned states that all data is supposed to be saved in an encrypted folder.

David Barnes, a spokesman for the IG office, said the office maintains its own IT operations that mirror the policies established by the department's chief information officer.

Chris Fedde, senior vice president and general manager of SafeNet's enterprise security division, said a common way to protect sensitive data is to encrypt the entire hard drive, but a drawback is that when you have to do repairs or install new software, you have to decrypt it.

"Normally that's a tightly controlled process," Fedde said. "I bet [the IG office] has a new policy by now."

Special agents in the IG's Miami office were using the databases as part of a multi-agency task force working to identify the use of fraudulent information to obtain driver's licenses or flying certificates. Past use of this type of data has led to guilty pleas in licensing fraud cases, the IG office said in a statement.

The IG office stated that it does not believe thieves targeted the laptop because of the information it contained. A full-scale effort is being undertaken to recover the laptop, Zinser said.

On June 23, OMB Deputy Director for Management Clay Johnson signed a memorandum urging, but not requiring, agencies to encrypt data on remote computer devices holding sensitive information, among other things.

The request came in the wake of a series of data breaches involving sensitive information, namely the early May theft of Veterans Affairs Department computer equipment containing the personal information of 26.5 million people.

Johnson said in the memo that most agencies already take this precaution. But Alan Paller, director of research at the SANS Institute in Bethesda, Md., a nonprofit cybersecurity research organization, said policies do not equal implementation.

To ensure that every security policy is constantly followed, agencies need to implement automated monitoring systems, Paller said. Such systems could, for instance, check machines for compliance every time they are connected to the agency's network, he said.

By Daniel Pulliam

August 10, 2006