Sensitive DOT documents deemed vulnerable to hacker attacks

WASHINGTON — Vulnerability testing at the U.S. Department of Transportation found that employee personal information and other sensitive documents are at risk due to ineffective IT security measures, according to a federal regulator.

By using publicly available administrator account credentials, auditors at the department’s Office of Inspector General were able to gain unauthorized access to printers used by employees of the Department of Transportation’s Federal Highway Administration, according to reports OIG report published on Wednesday.

This access allowed investigators to view all kinds of personal information that employees had previously printed, scanned or faxed, including marriage certificates, medical bills and prescriptions, employees’ last wills, tax documents, bank statements, home addresses and Social Security numbers.

As part of the unauthenticated access tests, the OIG also found that no authentication was required in the unsecured conference room, which “allowed us to transition from the FHWA intranet to the FAA intranet,” the agency said in the report.

“We then gained unauthorized access to FAA systems that were intended to be restricted to authorized FAA personnel only, containing confidential documents, as well as documents containing proprietary data that are not authorized for other government agencies or vendors.”

These documents included airport maintenance logs, detailed future maintenance plans, VIP passenger lists and editable flight logs.

“We also gained access to the FAA National Operations Control Center application and the FAA Technical Drawings website, which contains drawings and designs from third-party contractors, as well as military drawings and diagrams.

“We finally gained access to an aviation search tool containing global airports, helipads and tactical landing sites classified under a pseudonym in the FAA National Maintenance Alert System.”

The audit, conducted between November 2021 and August 2024, identified thousands of individual vulnerabilities in FHWA that were more than a year old and had not been remedied within specific DOT-required timelines.

Among them, the OIG found:

541 critical vulnerabilities, 80% of which were not fixed within 30 days of being identified.
1,366 serious vulnerabilities, 91% of which were not fixed within 30 days of identification.
4,755 medium vulnerabilities, 99% of which were not fixed within 60 days of identification.

The OIG made eight recommendations to DOT, including directing the department’s IT office to develop and implement a plan to remediate all identified critical, high-level, and medium-level vulnerabilities, as well as to enforce DOT’s security policy of removing default credentials for all compromised devices, including shared printers network.

DOT blamed some of the audit results on a lack of communication between the department and the OIG. It also noted that although the audit was internal in nature, “OIG was unable to penetrate DOT and FHWA’s IT infrastructure externally, demonstrating the strength of the Department’s defenses against external threats.”

However, the report warned that until DOT implements appropriate IT network security measures, “the Department and its operational administration will continue to be at risk of cyber attacks that could seriously impact their missions.”

Click to see more FreightWaves articles by John Gallagher.

Related articles: :