IG: State Department passport system wide open

Poor security policies and lack of clear disciplinary actions allow unauthorized users to view personal information in files.

The State Department has failed to provide adequate controls to prevent unauthorized access to individuals' passport files, according to an inspector general's report released on Thursday.

The department has not established the proper policies, procedures and disciplinary actions to prevent employees and contractors, as well as those in other agencies, from accessing files in the computer system that the Bureau of Consular Affairs uses to process passports, according to a heavily redacted report. The system, called the Passport Information Electronic Records System, compromises citizens' privacy and leaves their personal information vulnerable to theft.

The system has a vast collection of data on Americans and contains records for about 127 million passport holders. Information such as the name, date of birth, Social Security number and citizenship status for applicants and family members is stored in the network. Agencies are required to secure such records under the 1974 Privacy Act and should be walled off from unauthorized access, the report said.

The security of passport information first attracted attention in March, when it was reported that contractors processing passports for State had inappropriately accessed the files of the three leading presidential candidates, Sens. Barack Obama, D-Ill.; John McCain, R-Ariz.; and Hillary Clinton, D-N.Y. The department announced at the time that the contractors had fired two employees and disciplined a third for accessing the candidates' files, and called for an investigation by the department's IG.

State detected the breaches because the files of high-profile individuals are programmed to flag system administrators if anyone accesses the file, with the first access occurring on Jan. 9. Senior State officials, however, were not informed of the breaches until March 20 because the contractors' immediate supervisors disciplined them and did not inform their managers. The IG is conducting a separate investigation into the specific conduct of the contractors who accessed the files.

The IG made 22 recommendations, most of which were redacted because the vulnerabilities in the system have yet to be fixed, according to Tom Burgess, director of congressional and public affairs for State's Office of the Inspector General. The redactions "would provide a roadmap" to the system's weaknesses, he said.

The IG found that Consular Affairs had not developed proper policies and procedures for managing the unauthorized access of files, nor had it trained employees on what constitutes unauthorized access or what the penalties are for doing this. In addition, the IG found that disciplinary actions were left to the discretion of the employee's supervisor, which meant penalties were applied inconsistently. Consular Affairs said it was unaware of actions taken against employees in other agencies who access files without permission.

The IG recommended that the bureau implement specific guidelines for handling violations, including reprimand, suspension, dismissal and prosecution. Consular Affairs disagreed with the recommendation, saying any policy developed would not be applicable to outside departments or contractors because they are not within the agency's jurisdiction.

State officials attributed some of the department's inability to develop security controls and to assess the system's vulnerability to a shortage of resources.

The department launched the passport system in April 1999 to speed up the processing time for passports and to make it easer to research applicants' records. About 20,500 individuals have an active account to use the system, according to Consular Affairs officials, and 12,200 of those were employees or contractors at State.

Other agencies such as the Homeland Security Department and the FBI use the system to investigate crimes, analyze security threats and notify the families of U.S. citizens who are injured or die abroad, among other purposes.

The report recommended that Consular Affairs implement security controls similar to those used by the Internal Revenue Service and the Treasury Inspector General for Tax Administration, which trigger alerts when an unauthorized person accesses a file. Consular Affairs agreed with the recommendation and is developing initiatives for monitoring, auditing and reporting such incidents.