WASHINGTON — Vulnerability tests conducted at the U.S. Department of Transportation revealed that employees’ personal information and other sensitive documents are at risk because of ineffective IT safeguards, according to a federal watchdog.
By using publicly available administrator account credentials, auditors at the department’s Office of Inspector General were able to gain unauthorized access to printers used by employees at DOT’s Federal Highway Administration, according to OIG’s report published on Wednesday.
That access allowed investigators to see all kinds of personal information that employees had previously printed, scanned or faxed, including marriage licenses, medical billings and prescriptions, employee last wills and testaments, tax documents, bank account statements, home addresses, and Social Security numbers.
As part of its testing of uncredentialed access, the OIG also found that no authentication had been required from an unsecured conference room, which “allowed us to traverse from the FHWA intranet to the FAA intranet,” the agency stated in the report.
“We then gained unauthorized access to FAA systems that were supposed to have restricted access to only authorized FAA personnel, containing sensitive documents as well as documents with proprietary data not authorized for other government agencies or vendors.”
Those documents included airport maintenance logs, detailed future maintenance plans, VIP passenger lists and editable flight logs.
“We also accessed an FAA National Operation Control Center application and an FAA engineering drawing site containing third-party proprietary contractor drawings and designs as well as military drawings and schematics.
“Lastly, we accessed an aviation search tool containing global airports, heliports, and a tactical airstrip classified under a pseudonym within the FAA’s National Maintenance Alert System.”
The audit, conducted between November 2021 and August 2024, identified thousands of individual vulnerabilities at FHWA that were more than a year old and not remediated within specified timelines required by DOT.
Among them, the OIG found:
- 541 critical vulnerabilities, 80% of which had not been remediated within 30 days of identification.
- 1,366 high vulnerabilities, 91% of which had not been remediated within 30 days of identification.
- 4,755 medium vulnerabilities, 99% of which had not been remediated within 60 days of identification.
The OIG issued eight recommendations to DOT, among them directing the department’s IT office to develop and implement a plan to remediate all identified critical, high and medium vulnerabilities, as well as enforce DOT security policy for removing default credentials for all compromised devices, including shared network printers.
DOT blamed some of the outcomes of the audit on a lack of communication between the department and the OIG. It also noted that while the audit was internal, “OIG was unable to penetrate DOT and FHWA’s IT infrastructure externally, demonstrating the strength of the Department’s defenses against external threats.”
The report warned, however, that until DOT puts appropriate IT network protections in place, “the Department and its Operating Administrations will continue to be at risk for cybersecurity attacks that could have major impact on their missions.”
