IG: Pilots, Your Private Information Is At Risk
A Transportation Department Inspector General (IG) report dated June 18 found "serious security lapses" in systems that the FAA uses to store pilots' personal information, including medical data. Information collected from roughly 465,000 current medical certifications is just the tip of the iceberg. The IG says the FAA's Internet-accessible Medical Support System (MSS) holds records for more than three million airmen, past and present. The IG listed names, addresses, Social Security numbers and other "personally identifiable information" as information "not properly secured." According to the report, the system's vulnerabilities allow for the "potential falsification of medical certificates," and more. "Failure to encrypt sensitive personal identifiable information and control remote access to MSS," says the report, "places airmen at unnecessary risk of identity theft, jeopardizes the integrity of the medical certification process, and increases risks of attacks on departmental networks." The FAA is responding and the IG believes the FAA's current and planned actions will positively address the IG's concerns in most cases.
As an example of the lapses, staff no longer employed by medical examiners were found to have continued access to the system. The IG also found that sensitive information lacks encryption and system passwords were stored "in clear text on the system." It also found that the FAA has exempted the roughly 8500 AME users who have access to the system from the DOT's mandatory security awareness and privacy awareness training. According to the IG, "To ensure aviation safety and protect the privacy of airmen, it is critical that this medical information be secure." The IG report was meant to audit information security and assess the FAA's progress in establishing methods to identify active airmen who are also receiving disability pay. The IG has issued 15 recommendations, and the IG believes the FAA is responding well to 12. The FAA does have plans that address the other three, but faces some logistical difficulties in responding more quickly to those.
Find the recommendations, along with the report, here (PDF).