The hard drive, discovered missing from a controlled area at the federal agency on Thursday, contained the names, Social Security numbers, birth dates, bank account and routing data and payroll information of employees who worked for the agency between January 2002 and August 2005, TSA administrator Kip Hawley said in a notification letter to victims. Authorities are unsure whether the data was lost or stolen.
Hawley apologised to employees whose identity was exposed, but said the TSA has no reason to believe any of the information has been misused. Still, the agency promised to provide affected individuals with one year of free credit monitoring service.
"We are notifying you out of an abundance of caution at this early stage of the investigation given the significance of the information contained on the device," Hawley said. "We apologise that your information may be subject to unauthorised access, and I deeply regret this incident."
The FBI and US Secret Service have opened criminal investigations, according to a separate statement.
The TSA said it has comprehensive data security policies in place and violators face "swift disciplinary action," including firing.
This is the second time in less than a year that the agency responsible for securing the nation’s airports was involved in a data breach.
Last September, a contractor accidentally mailed about 1,200 documents containing Social Security numbers of former TSA employees to incorrect addresses.
"It’s kind of ironic that the government agency charged with maintaining the security of our nation’s transportation system can’t manage the security of its own employees’ files," said Paul Stephens, policy analyst at the nonprofit Privacy Rights Clearinghouse.
"It’s a matter of having the proper protocols in place and enforcing them. A lot of times the protocols exist, and you don’t have the compliance. Typically, the failure is employee compliance."
The latest incident occurred just days after Rep. Tom Davis, R.-Va., reintroduced a bill that would require federal agencies who suffered a data breach to promptly notify victims, and have proper policies in place.
Lost: hard drive with information of 100,000 employees in US
By Dan Kaplan on May 8, 2007 9:57AM