FAA registry of pilots' data at risk of data breach


Personally identifiable information kept within the Federal Aviation Administration's Civil Aviation Registry is at risk for breach, says the Transportation Department office of inspector general.

For a June 27 report (.pdf), auditors examined the registry's system configuration and account management, finding that they don't adequately protect pilots' information, which includes particularly sensitive elements such as their Social Security numbers and medical information.

The registry isn't encrypted, and doesn't require multifactor authentication for registry users to log on to the system. FAA officials told auditors that they use digital signatures to authenticate users, but auditors say they found that not to be the case. There are more than 38,000 registry users who aren't FAA employees, but the agency "only sporadically validates" user accounts and doesn't routinely monitor who's accessing sensitive registry data.

The agency doesn't have in place agreements with third parties that receive registry information to ensure they, in turn, safeguard the personally identifiable information, auditors say.

Auditors also found lax patch management--70 percent of the 42 servers storing registry information had at least one high-risk or critical vulnerability. "Seven servers were missing update patches from 2007 and subsequent years," they say, adding that two of the servers were running operating systems past manufacturer lifecycle support.

In the agency's official response to the audit, FAA officials said annual user account validation and multifactor authentication aren't necessary. The risk of abuse from user accounts is extremely low, they said. As for authentication, the system need only have level 2 identity validity assurance (on a scale of 1 to 4, with 4 permitting system administrators to have the most confidence about the authenticity of users' identity), they said, meaning that passwords are sufficient and that multifactor authentication isn't necessary.

Agency officials also said they won't encrypt all the registry data since the registry has legacy components that make it impractical, although they say that image files stored on a mainframe "are stored with a proprietary wrapper and are not directly readable from storage." The sensitive data residing in databases in the FAA enterprise data center can be erupted and should be so by Dec. 31, official also said.

As for third party access to the registry, FAA says it will add additional security requirements, but not until October.

For more:
- download the report, FI-2013-101 (.pdf)

Related Articles:
TRACON air traffic control modernization faces prospect of more schedule, cost overruns
FAA not providing enough cost benefit information on NextGen, GAO says
ERAM continues to undergo critical failures