IG: FMCSA IT Infrastructure at Risk of Compromise

Three years after the Federal Motor Carrier Safety Administration’s new medical examiner’s registry was hacked, the agency’s information technology infrastructure is still at risk of being compromised, according to a new report from the Department of Transportation’s Inspector General’s office.

The FMCSA uses 13 web-based applications to aid vehicle registration, inspections, and other activities. Many of FMCSA’s information systems contain sensitive data, including personally identifiable information.

Although the IG’s report doesn’t cite a specific reason for its investigation, which began two years ago, the late 2017 hack of the registry is still causing delays in full implementation of the certified medical examiner program. While FMCSA said the hack was unsuccessful in that no personal information was exposed, the incident caused the agency to go back to the drawing board to develop a more secure portal.

According to its announcement, the inspector general's audit of FMCSA’s IT infrastructure was conducted because of the importance of FMCSA’s programs to the transportation system and sensitivity of some agency information. Its objective was to determine whether FMCSA’s IT infrastructure contains security weaknesses that could compromise the agency’s systems and data.

And it found them.

“We found vulnerabilities in several agency web servers that allowed us to gain unauthorized access to FMCSA’s network,” notes the IG’s report. “FMCSA did not detect our access or placement of malware on the network in part because it did not use required automated detection tools and malicious code protections. We also gained access to 13.6 million unencrypted [personally identifiable information] records. Had malicious hackers obtained this PII, it could have cost FMCSA up to $570 million in credit monitoring fees.”

The report also said FMCSA “does not always remediate vulnerabilities as quickly as DOT policy requires. These weaknesses put FMCSA’s network and data at risk for unauthorized access and compromise.”

The office made 13 recommendations, which it said the FMCSA concurred with. However, because publicizing the recommendations could constitute a security risk, the IG’s office did not disclose what those recommendations were.