Skip to navigation Skip to content
Click here to find out how TSA's Secure Flight helps Alex Johnson

Background on Committee Report Regarding TSA's Redress Web Site

News & Happenings

January 11, 2008

What Happened

What Went Wrong

TSA discovered several problems with the planning, development and operation of the Web site, including:

  • The Web site contained numerous technical flaws, most importantly a link for inputting personal information and transmitting it via an unsecured method.
  • Hosting the site outside of the .gov domain and using servers that were housed in a commercial third party site not under the control of TSA.
  • Specific intrusion detection software had not been provided as required by the contract.

What We've Done

  • On the same day the problems were discovered, TSA moved the site from its .com domain to a .gov domain that had been created in anticipation of the DHS’ consolidated Traveler Redress Inquiry Program.
  • A permanent, Department wide traveler redress program is now consolidated under DHS in a secure government domain. Since this consolidated site launched, more than 16,000 travelers have securely applied for redress.
  • Servers have been moved in house and now reside under the direct control of TSA officials.
  • The Chief Information Security Office is now responsible for certifying all sites prior to launch.

TSA launched a Web site in October 2006 in an effort to allow travelers that experienced security related delays relating to their identities to apply for redress. This site was designed, posted and hosted by Virginia-based Desyne Web Services, Inc. Passengers using the Web site were required to submit personal information, including full name, address, date of birth and passport number.

On February 13, 2007, TSA was alerted to potential security issues with the site by several postings on the Internet and reporters contacting the agency. Some of these postings even suggested it looked like hackers phished the redress Web page. The postings and inquiries included several reasons for concern, the most important being that the site was operating from a .com domain not a .gov and that a critical document upload link did not use proper security protocols.

Later that same day, TSA moved the site from its .com domain to a .gov domain that had been created in anticipation of the Department of Homeland Security’s consolidated Traveler Redress Inquiry Program (www.dhs.gov/trip).

A forensic audit was conducted and we learned that 247 people had used the non-secure document and upload to apply for redress with TSA. We immediately reached out to these individuals and warned them of this situation, specifically telling them that no one from TSA would contact them and ask for information from them. We also suggested several methods of monitoring their credit. To this point, TSA has no knowledge of any of these individuals' identities being misused.

It is important to know that the only time the information was not secure was from the desktop of the user en route to the servers that process the redress applications. For an individual's identity to be compromised, it would have to have been intercepted during this transmission, over 12 months ago.

Cooperation

TSA has cooperated fully with the Committee on Oversight and Government Reform, providing documents and access to officials in a timely manner in the spirit of continous improvement and joint collaboration.