Bombshell Report Reveals FMCSA Left Trove of Drivers’ Personal Data Exposed to Hackers
Washington D.C. — A recent investigation of the Federal Motor Carrier Safety Administration’s (FMCSA) cybersecurity systems revealed alarming findings.
The U.S. Department of Transportation (USDOT) Office of Inspector General (OIG) conducted a network security assessment of the FMCSA’s information technology (IT) infrastructure between October 2020 and August 2021.
According to a 26-page bombshell report, OIG hackers were able to “gain unauthorized access” to FMCSA’s network including administrative web servers hosted on the Agency’s cloud environment.
“Because FMCSA was not following USDOT policy on password establishment, we gained unauthorized access to the Agency’s network and systems,” the heavily-redacted report states.
OIG investigators were successfully able to place malware on the network without FMCSA officials detecting the threat for a month.
“FMCSA has not established adequate protections against malicious code and does not have effective detection controls in place to alert its administrators when malicious code is detected,” the OIG reported. “We intentionally did not cover our tracks to determine whether FMCSA could detect our access. If we had covered our tracks, the Agency most likely would not have detected our unauthorized access.”
Even more disturbing, OIG hackers gained access to 13.6 million unencrypted personally identifiable information (PII) records of commercial drivers license (CDL) holders.
PII records left exposed during the assessment included commercial drivers’ contact and medical examination information as well as license and contact data for certified medical examiners.
“If our attacks had been malicious, the damage could potentially result in credit monitoring for affected individuals, costing the Agency an average of $41.73 per person and up to $570,367,559,” the OIG warned. “Citizens’ identities whose PII is at risk could suffer substantial harm, inconvenience, and financial disruption, up to and including identity theft. Furthermore, the disclosure of this information, could cause serious public embarrassment to the Agency.”
Astoundingly, even when FMCSA officials detected the threat, the OIG concluded the Agency did not “remediate system vulnerabilities according to USDOT policy, which requires remediation of critical and high vulnerabilities within 30 days of detection.”
As a result of its findings, the OIG made a total of 13 recommendations regarding the immediate steps necessary to secure the Agency’s IT systems.
An internal memo dated September 23, 2021, penned by FMCSA Deputy Administrator Meera Joshi, informed the OIG that FMCSA officials concurred with its findings and security recommendations.
Additionally, Joshi indicated Agency officials had completed six of the security measures thus far, and would accomplish the remaining seven no later than September 14, 2022.
Joshi did not mention if any FMCSA officials have been or will be disciplined or fired for the egregious lack of security and oversight of its IT systems.
The OIG also did not reveal how long FMCSA’s systems may have been putting drivers’ PII at risk or if cybercriminals had already stolen loads of data.