Problem-driver database gets ticketed for security flaws

Computerworld - The U.S. Department of Transportation isn't adequately protecting personal data stored in a national database that state motor-vehicle departments use to identify problem drivers, according to a report released last week by the DOT's inspector general.

In addition, information about people identified as problem drivers isn't being recorded in a timely manner in the mainframe-based National Driver Register (NDR) database, the report said.

The NDR, which is administered by the National Highway Traffic Safety Administration (NHTSA), was designed to allow state motor-vehicle agencies to exchange information on drivers who have been convicted of operating under the influence and other offenses.

The database contains personal information such as the name, date of birth, sex, height and eye color of drivers. When state workers are processing driver's license applications, they can access the NDR via a network that is managed by the American Association of Motor Vehicle Administrators (AAMVA).

According to the inspector general's report, the 42 million records contained in the NDR have been properly secured via data encryption. However, similar controls aren't being applied when the data is transmitted to and between state agencies, the report claimed.

"Federal minimum security standards require the use of sophisticated encryption protection when transmitting sensitive information, such as NDR records," the report said. The current failure to meet that requirement is exposing the network transmissions to possible unauthorized access and unapproved use, it added. The report blamed the situation on a failure by the NHTSA to contractually require the AAMVA to apply encryption during the data transmission process.

The information in the database has been open to compromise in other ways as well, the report said. For instance, the backgrounds of individuals who use the database often aren't being properly vetted before the users are given access to the sensitive information, according to the report.

Similarly, file cabinets containing documents with personally identifiable information culled from the database aren't always well secured against theft, the report said. The findings are based on an audit that workers in the inspector general's office conducted from March 2005 through last December at NHTSA headquarters, the AAMVA's offices in Arlington, Va., a contractor-run facility in New Jersey where the NDR database resides, and the offices of motor vehicle departments in nine states.

In response to the concerns raised by the audit, the NHTSA has agreed to establish an "interconnection security agreement" with the AAMVA under which network transmissions would be encrypted. A draft agreement has already been signed and is being reviewed within the DOT, which expects to finalize the deal during December, according to a written response that was added to the inspector general's report in an appendix.

The NHTSA also said that by next June, it plans to have completed the encryption of all data transmissions between its own facilities and those of the contractor that manages the NDR database. In addition, the backgrounds of all individuals who have access to the database are being validated by the NHTSA.

Read more about security in Computerworld's Security Knowledge Center.