The Federal Motor Carrier Safety Administration’s websites are at risk of being hacked, an investigation by the Department of Transportation’s Inspector General’s office has found.
FMCSA servers failed to detect DOT’s access or placement of malware on the network because it did not use required automated detection tools and malicious code protections, according to the report.
“In our testing, we demonstrated that the network has serious vulnerabilities that increase the likelihood that hacking attempts will succeed. As a result, these vulnerabilities make FMCSA’s information technology infrastructure and the sensitive information stored on it more vulnerable to unauthorized access and security compromises,” the 26-page report concluded.
A “basic hacker technique” was used to gain unauthorized access to FMCSA’s network, according to the IG audit.
13.6 million records
Investigators gained access to 13.6 million unencrypted personal records from the FMCSA websites. Had malicious hackers obtained these records, it could have cost FMCSA up to $570 million in credit monitoring fees, the report noted.
It also found the agency “does not always remediate vulnerabilities as quickly as DOT policy requires. These weaknesses put FMCSA’s network and data at risk for unauthorized access and compromise.”
The FMCSA uses 13 web-based applications to aid vehicle registration, inspections and other activities. Many of the agency’s information systems contain sensitive data, including personally identifiable information.
“Due to the importance of FMCSA’s programs to the transportation system and sensitivity of some Agency information, we conducted this audit of FMCSA’s information technology (IT) infrastructure. Our objective was to determine whether FMCSA’s IT infrastructure contains security weaknesses that could compromise the Agency’s systems and data,” the report noted.
The DOT said it recommended 13 different points of action that FMCSA officials need to take in order to better secure their information.