After the attempted hack of the Federal Motor Carrier Safety Administration’s (FMCSA) medical database just over three years ago, the agency has been working to build its digital defenses surrounding its databases. But, after the Office of Inspector General (IG) for the Department of Transportation completed an audit of the administration’s information technology, it seems there are still major security flaws in FMCSA’s data-banking systems.
On Oct. 20, IG released a report detailing its recent audit of FMCSA’s 13 web-based applications that bank inspection, compliance, vehicle registration, and other activities’ respective data. The stated objective of the IG audit was “to determine whether FMCSA’s IT infrastructure contains security weaknesses that could compromise the Agency’s systems and data.”
The IG audit came back with some serious red flags which pointed to weak spots in FMCSA’s data banks, concluding that the information stored in the FMCSA’s IT infrastructure is at serious risk of being compromised in the future. Several agency web servers that house information were breached by the audit team, including unauthorized access to FMCSA’s network. FMCSA did not detect the breach or the unauthorized activity within their own servers. The audit report stated, “FMCSA has not established adequate protections against malicious code and does not have effective detection controls in place to alert its administrators when malicious code is detected.”
Perhaps the most unsettling information in the audit report was the specific data that was so easily accessed. The audit team was able to access 13.6 million unencrypted records containing personally identifiable information (PII), including data that allows the identity of an individual to be reasonably inferred directly or indirectly. PII is often defined as including information such as Social Security numbers, driver’s license numbers, financial and medical records, or a criminal history. If this data had been procured by malicious hackers, it could have cost the FMCSA as much as $570 million dollars in credit monitoring fees.
These problems offer justifiable concerns since no one wants their data to be inappropriately accessed or held for ransom. Thankfully, measures are being taken immediately to remediate vulnerabilities. FMCSA has already removed all personally identifiable information from a pre-production environment and performed a comprehensive review of the agency’s login credentials, among other things. FMCSA’s Deputy Administrator Meera Joshi has committed to implementing all of the IG’s remaining recommendations by November of next year.
TCA urges our federal partners at FMCSA to take these security issues seriously, as a breach of private data would be irrevocably harmful to America’s fleets. Truckload carriers are currently working in overdrive to deliver goods to a nation in the midst of a supply chain crisis, and they cannot be disrupted by the enormous speedbump that would be caused by malicious breach of FMCSA’s data.
We recognize that the federal government’s IT infrastructure is in desperate need of an upgrade, as evidenced by the crash of the Drug and Alcohol Clearinghouse after it was launched in January 2020, but keeping personal data secure from hackers is the most basic and yet most important priority. As such, Congress must provide FMCSA with the financial resources needed to keep data secure, and FMCSA must make the best use of the IT infrastructure already available.