Sensitive DOT documents have been found vulnerable to hackers

On By Pranco

WASHINGTON – Vulnerability testing conducted at the U.S. Department of Transportation has shown that employees’ personal information and other sensitive documents are at risk due to ineffective IT protections, a federal watchdog said.

By using publicly available administrator account credentials, auditors from the department’s Office of Inspector General were able to gain unauthorized access to printers used by DOT’s Federal Highway Administration employees, according to The OIG report published on Wednesday.

That access allowed investigators to see a variety of personal information that employees had previously printed, scanned or faxed, including marriage licenses, medical bills and prescriptions, employee wills, tax documents, bank account statements, home addresses and Social Security numbers. .

As part of testing for unauthorized access, the OIG also found that no authentication was required from an unsecured meeting room, allowing us to “move from the FHWA intranet to the FAA intranet,” the agency said in the report.

“We then gained unauthorized access to FAA systems that were supposed to have limited access to only authorized FAA personnel, which contained both sensitive documents and documents containing proprietary data that were not authorized for other government agencies or vendors.”

These documents include airport maintenance logs, detailed future maintenance plans, VIP passenger lists and editable flight logs.

“We also had access to an FAA National Operation Control Center application and an FAA engineering drawings site that included drawings and designs from outside contractors, as well as military drawings and schematics.

“Finally, we gained access to an aviation search tool that includes global airports, heliports, and a tactical runway classified under a pseudonym within the FAA’s National Maintenance Alert System.”

The audit, conducted between November 2021 and August 2024, identified thousands of individual vulnerabilities at FHWA that were more than a year old and had not been addressed within DOT-required specified timelines.

Among them, the OIG found:

  • 541 critical vulnerabilities, 80% of which were not addressed within 30 days of identification.
  • 1,366 high vulnerabilities, 91% of which were not resolved within 30 days of identification.
  • 4,755 medium vulnerabilities, 99% of which were not resolved within 60 days of identification.

The OIG made eight recommendations to the DOT, including directing the department’s IT office to develop and implement a plan to remediate all identified critical, high, and medium vulnerabilities, and to update the DOT security policy to enforce the removal of default credentials for all compromised devices, including shared devices. network printers.

DOT blamed some of the audit findings on a lack of communication between the department and the OIG. It also noted that although the audit was internal, “OIG was unable to externally penetrate DOT and FHWA IT infrastructure, demonstrating the strength of the Department’s defenses against external threats.”

However, the report warned that until the DOT implements appropriate IT network protections, “the Department and its operational administrations will continue to be at risk from cyber-attacks that could significantly impact their missions.”

Click for more FreightWaves articles from John Gallagher.