Lax security controls could allow hackers to access personal information in the records of hundreds of thousands of pilots in the ’s aircraft and airmen registry databases, says to a new audit report by the U.S. Transportation Department’s Office of Inspector General (OIG).
The audit also reveals incomplete information in thousands of pilot and aircraft registration records.
Along with putting pilots’ personal information at risk, the OIG says the deficiencies could hinder accident investigations and pilot security screenings required under the 2004 Intelligence Reform and Terrorism Prevention Act.
“FAA has not implemented needed security controls over the registry’s configuration and account management to mitigate the risk of unauthorized access to PII [personally identifiable information],” the OIG says of the pilot database. When applying for a license, pilots must submit their social security number, date of birth, a record of pilot flight time and test results.
Though the FAA says it is not responsible for “information voluntarily submitted to the registry,” the OIG says Office of Management and Budget and National Institute of Standards and Technology rules require the agency to protect personally identifiable information.
Along with other problems, the OIG found that 70% of the 42 servers the FAA uses for the registry “contained at least one high-risk or critical vulnerability—a weakness in an information system that could be exploited for unauthorized access.” In addition, the FAA is not encrypting the registry data, including personally identifiable information and “sensitive information inadvertently submitted by owners for aircraft registrations,” says the OIG.
“The lack of encryption makes reading [personally identifiable information] easier when it is accessed by an unauthorized party or stolen,” it adds.
The OIG also found that the data in many airmen records was incorrect. “Over 43,000 airmen have received certifications even though they have not provided the FAA with accurate permanent personal addresses,” the report states. “Despite its policy, the FAA has permitted pilots to use business and flight school addresses on their applications for certification.”
Regarding the aircraft registration database, the OIG randomly selected 68 out of 10,292 fixed- and rotary-wing registrations and found that 37 had incomplete information. “Based on that finding, we estimate that 5,600 or 54.4% of aircraft owned under trusts for non-U.S. citizens lacked important information such as identity of the trusts’ owners and aircraft operators,” the IOG says. Foreign citizens can register aircraft with the FAA using a trust agreement that transfers the aircraft’s title to a U.S. trustee, who then can register the aircraft under his or her name or an organization’s name.
“Foreign aviation authorities have brought to FAA’s attention numerous accidents, operational errors, and other incidents involving U.S. aircraft registered to trusts for non-U.S. citizen beneficiaries,” says the OIG. “Because the registry lacks information on these aircraft, the FAA is at risk of not being able to meet [under International Civil Aviation Organization rules] and answer these authorities’ requests for information.”