Following the loss and possible theft of two laptops containing the personal data of 3,930 truckers who handle hazardous materials, the Transportation Security Administration has mandated that contractors must encrypt any and all data on top of any deletion policies they have in place.
According to a letter the TSA sent to lawmakers on Oct. 12, the laptops—both of which belonged to a TSA contractor—contain names, addresses, birthdays, commercial drivers license numbers and, in some instances, Social Security numbers of the affected truckers.
First, one laptop was lost. At that time, the contractor, L-1 Identity Solutions Integrated Biometric Technology division, told the TSA that the truckers information had been deleted from the system, TSA Public Affairs Manager Ann Davis told eWEEK.
Then, another laptop disappeared. After the second theft or loss, the TSA conducted an IT forensic investigation that ascertained that the deleted information could be retrieved if a thief had the proper training.
“So even though [theres only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place,” Davis said.
The TSA requires that all individuals who transport hazardous waste provide information for a security clearance in a program called the Hazardous Materials Endorsement Threat Assessment thats mandated under the Patriot Act.
This isnt the first time the TSA has found itself in data-breach hot water, and it isnt the agencys biggest data breach, by a long shot. On May 7, the agency announced that a hard drive containing personal information belonging to 100,000 government workers had been lost.
Read more here about the TSA losing a hard drive containing employment records for some 100,000 individuals.
The TSA is also requiring Integrated Biometric Technology to provide free credit reporting to the affected individuals.
L-1 Identity Solutions couldnt immediately provide a spokesperson to give information to eWEEK on the incident.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.