A US Department of Transportation computer system used to reimburse federal government employees for commuting costs somehow suffered a security breach that exposed the personal info for 237,000 current and former workers.
TRANServe – an electronic travel pass system managed by DoT, and used by many employees across the federal government to encourage use of public transport – told Congress it made a mistake in protecting that data.
The DoT told The Register its CIO office “isolated the breach to certain systems at the department used for administrative functions, such as employee transit benefits processing,” adding that the incident did not affect any transportation safety systems. The DoT told us it was still investigating and has suspended access to the system (as confirmed by the TRANServe website) until it can secure and restore it with full confidence.
Additional questions, including when the incident was first detected and what sort of personal information may have been leaked, as well as any guesses as to how it happened, have not been answered.
According to Reuters, the blunder affected 114,000 current and 123,000 former federal government employees.
Recommendations unfulfilled means lots of data is getting spilled
Talk about bad timing.
Just yesterday, the US Government Accountability Office (GAO) released a report finding that while the DoT has fulfilled recommendations to define cybersecurity roles and responsibilities, it didn’t follow through in some cases.
That, unfortunately for the DoT’s cybersecurity posture, is the tip of the iceberg when it comes to shortcomings that may have contributed to the TRANServe breach.
In a report reviewing the current status of the DoT’s priority recommendations from the GAO dated May 9, US Comptroller General Gene Dodario said that the DoT has only implemented 67 percent of the recommendations the GAO made to it, 10 percent shy of the federal government average.
“As of April 2023, DoT had 178 open recommendations. Fully implementing these … could significantly improve agency operations,” Dodario said, adding that since July of last year the DoT had only implemented one of the GAO’s 16 priority recommendations for the Department.
Jennifer Franks, director of the GAO’s Center for Enhanced Cybersecurity and its IT & Cybersecurity Teams, told The Register there have been a lot of recommendations made to the DoT over the years, but many priority fixes remain unresolved.
As a result, Franks said, the DoT doesn’t have proper risk management strategies in place, lacks a good understanding of the risks of a government-wide IT labor shortage and doesn’t have a plan in place to respond to privacy incidents like the exposure of PII.
Franks told us that much of the cybersecurity and IT trouble the DoT is facing boils down to workforce issues, including the fact that “there are no senior [DoT] officials responsible for privacy who manage the documentation for privacy matters.”
The lack of oversight into privacy matters is key to this incident, Franks said, as without someone in charge of handling data exposure it’s unclear how and when employees whose data was exposed will be notified.
“DoT should fully define and document a process for ensuring that the senior agency official for privacy is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy,” Franks said in an email. “Addressing our recommendation would help DoT better identify its privacy staffing needs and ensure that it has a sufficient and well-qualified privacy workforce,” Franks added.
Along with that recommendation, the DoT also has yet to act on include addressing skill gaps, getting a proper risk management strategy in place (Franks told us DoT intends to implement something by the end of this fiscal year), determining the DoT’s current level of cybersecurity framework adoption, and oversight of automated technology. ®