TSA Accidentally Posts Security Protocols

A user unfamiliar with certain functions of Adobe’s popular Portable Document Format was to blame for a recent breach involving  sensitive Transportation Security Administration documents. Though the case doesn’t bear the hallmarks of one encompassing identity theft risk—no Social Security numbers, debit or credit card numbers were lost—it’s worth reading media accounts of the case if you work with sensitive PDF files. In TSA’s case they were really sensitive—a full copy of the agency’s standard operating procedures.

This included “procedures for screening passengers and checked baggage, such as technical settings used by X-ray machines and explosives detectors,” according to The Washington Post. It also includes “pictures of credentials used by members of Congress, CIA employees and federal air marshals, and it identifies 12 countries whose passport holders are automatically subjected to added scrutiny,” the paper added. 

Discover Magazine says the TSA “seriously dropped the ball” by making the information available online. Though the agency redacted the info using a graphics tool, the redaction was such that it allowed users who cut and pasted the blacked-out info to read its contents. The information was posted on a federal procurement Web site, the Post reports.

One former Department of Homeland Security official, Stewart A. Baker, took aim at the agency, saying that the inadvertent posting could provide a “textbook” for those seeking to penetrate aviation security, according to the Post. But another former DHS official says it’s not as much of a security risk as a PR blunder, according to the paper.

Informationweek.com reports that current Homeland Security Secretary Janet Napolitano has told the Senate Judiciary Committee that her department is investigating, but she also sought to reassure the public with the disclosure that many of the manuals procedures had been changed since its publication. The site notes that the situation wasn’t a result of a flaw in Adobe’s product, but rather “its existence shows how those handling secure information should be fully trained in the software they're using.”