Does the State Dept. Ignore Security?

For the second time in four months, a State Department employee has pleaded guilty to accessing the personal information of citizens in the department’s passport records without proper authorization.

According to the Department of Justice, Dwayne F. Cross, 41, of Upper Marlboro, Md., pleaded guilty before Judge John M. Facciola in U.S. District Court for the District of Columbia to one count of unauthorized computer access.

Cross admitted that he logged on to the State Department’s Passport Information Electronic Records System (PIERS) database and viewed the passport applications of more than 150 celebrities, politicians, members of the media between January 2002 and August 2007. He did so because he was curious. He is scheduled to be sentenced on March 23.

The case comes about four months after State Department intelligence analyst Lawrence C. Yontz pleaded guilty to unlawfully accessing hundreds of confidential passport files.

And last March, the department admitted that the private passport files of all
three presidential candidates
had been inappropriately accessed.

More prosecutions may be on the way. “Cross is the second former State Department employee to plead guilty in this continuing investigation,” the DoJ said in its statement. DoJ spokesperson Laura Sweeney declined to comment.

Cross admitted to having access to official State Department computer databases when he served as an administrative assistant in the Bureau of Consular Affairs, Overseas Citizens Services, Children’s Issues at the State Department from August 2001 through February 2008.

Warnings ignored

State Department officials said at a press
in March 2008 that anyone accessing PIERS sees a warning on the computer screen saying the system’s records are protected and access to them is on a need to know basis.

But that warning does not seem to be effective, if the frequency of incidents involving unauthorized access is any indication.

Management indifference is partly responsible for incidents like this, Scott Christie, a partner at law firm McCarter & English and a former federal prosecutor, told

“Unless and until there are public embarrassments like this that happen, management will not deem appropriate security measures a high enough priority.”

The lack of proper management showed up during an audit looking at access to PIERS in July, the State Department’s Office of the Inspector General (OIG).

“OIG found many control weaknesses – including a general lack of policies, procedures, guidance, and training – relating to the prevention and detection of unauthorized access to passport and applicant information and the subsequent response and disciplinary processes when a potential unauthorized access is substantiated,” the OIG report on the audit said.

The OIG made 22 recommendations to address these control weaknesses. The report is available here.

The State Department did not comment by press time.

The problem of unauthorized access by insiders to sensitive information worries enterprises. More than half the respondents to a survey conducted for Rohati Systems said insider access is their gravest security concern.

Findings like that are leading vendors to focus on identity and access management applications, as they believe controlling access to data by a user’s identity and role will improve security and reduce the chance of data breaches.

“You need a process to ensure that the only people who have access to data are those whose job responsibilities require them to do so,” Deepak Taneja, founder, president and CTO of enterprise access governance solutions vendor Aveksa, told “The solution lies in a combination of people, process and technology.”

Update adds name of Taneja’s company.

News Around the Web