Data loss lessons from TSA disclosure

As reported on Wednesday in the Washington Post and elsewhere, the Transportation Security Administration (TSA) inadvertently disclosed sensitive information about its airline passenger screening practices by posting a document containing this information online. The mistakes involved occurred at several levels, including human errors and poor choices in technology, so even where it seems theTSA was trying to do things the right way (recognizing the sensitivity of the information and therefore redacting the secrets before publishing it), the net result is the same. TheTSA’s unfortunate experience illustrates several considerations of which any organization managing and using sensitive data ought to be aware.

• Understand that data is an asset, and must be treated and protected as such. This is especially true of sensitive information like the TSA’s ostensibly secret procedures and guidelines, and of intellectual property any organization has the comprises information about confidential business strategies, operational details, or competitive advantages.
• Know what data you have, and attach data sensitivity categorizations to it. Pretty much everyone is familiar with the military classification system, but in any context it is important to be fully aware of what data you have, the nature of that data, where it is stored, and what it’s sensitivity level is, whether that’s based on internal value or on the potential impact to the organization should the information be disclosed.
• Where sensitive data must be shared, take appropriate measures to ensure only those with appropriate authorizations can access it, including the use of encryption and other approaches to protect data in transit, in use, and at rest.
• Choose appropriate tools and technologies to protect sensitive data. Even without knowing the specific technology used to redact the sensitive material in the TSA document that was published, what is clear is that the underlying data wasn’t changed, but some sort of digital mask or overlay was put in place. Using a graphical blackout function may be fine to prevent “shoulder surfing” in much the same way a password field in an online form shows “******” instead of the characters actually entered, but is not the same thing as rendering the data unreadable. An “old school” approach such as blacking out the sensitive information in a paper copy of the document and then scanning the redacted version to create a digital copy seems unsophisticated, but would not have allowed the disclosure that occurred using whatever digital redaction tool TSA employed.
• Monitor the flow of information out of your organization. If the simple exercise of copying redacted text and pasting into a different application was sufficient to expose the sensitive data, it’s hard to imagine that a content inspection tool through which the TSA document might have passed wouldn’t have been able to recognize that the full contents of the document were in fact readable. This is not intended to be a wholesale endorsement of content inspection or any data loss prevention (DLP) technology, but in cases like this where personnel are trying to follow policy and just happen to do that with an ineffective tool, a secondary line of defense provides an added measure of assurance.

Perhaps more disappointing than the disclosure itself is the response to the incident by TSA and DHS officials, who suggested that since the document was widely circulated among airline industry organizations that this new disclosure did not represent significant new risk to airline safety. This is essentially saying that since lots of (authorized) people have access to the information already, it probably isn’t that hard for an unauthorized person to get access to it. If that is really the case, then the TSA isn’t doing enough on its own or with its industry to secure its sensitive information.