In July 2021, the Department of Homeland Security (DHS) learned of an alleged exposure of more than 1.9 million Federal terrorist watchlist records. Consequently, the Office of Inspector General (OIG) sought to determine whether DHS has an effective approach to safeguard and share terrorist screening data.
On July 25, 2022, OIG presented its findings from the audit. The watchdog determined that DHS has an approach in place to safeguard and share terrorist screening data, and that DHS’ policies and procedures comply with Federal standards for safeguarding sensitive data, including terrorist watchlist records that are used, stored, and shared by the Department.
The Federal Bureau of Investigation’s Terrorist Screening Center (TSC) compiles and owns the data in the watchlist. TSC creates tailored exports of watchlist records and sends updates to DHS through a secured connection. DHS uses the watchlist data to conduct frontline operations in counterterrorism, law enforcement, border security, and inspections. For example, U.S. Customs and Border Protection (CBP) officers use watchlist data and other information contained in various Federal and partner-agency information technology systems to inspect travelers seeking entry into the United States to ensure they are eligible for admission. Similarly, Transportation Security Administration (TSA) agents use watchlist data to identify and prevent known or suspected terrorists, or other individuals who may pose threats to transportation security or public safety, from boarding an aircraft or accessing sterile areas of airports.
During our audit, OIG received consistent feedback from DHS officials that the Department’s policies and guidance established practices to safeguard sensitive data, including watchlist records, and to govern information sharing between DHS components and with partner agencies and external stakeholders, such as contractor personnel. Additionally, the Office of Intelligence & Analysis (I&A) established the Department’s Information Sharing Environment in 2014 to facilitate sharing of information related to terrorism and homeland security. This enables the Department to share terrorism information internally, and externally through an established set of standards, architecture, security measures, access controls, policies, agreements, and management practices.
OIG also determined that DHS components have policies and procedures for safeguarding and sharing sensitive information. DHS requires each component to maintain its own information security program. OIG reviewed the policies from CBP and TSA and determined they conform with DHS requirements. Both components’ policies contain specific guidance for employees, contractors, and other users who access CBP and TSA systems. Examples of information security guidance include user access controls, information sharing controls, user training requirements, audit and accountability controls, system security controls, and privacy controls.
Regarding the alleged exposure of data last year, DHS learned on July 19, 2021 of a social media post alleging more than 1.9 million TSC terrorist watchlist records were exposed publicly online. Subsequently, media outlets reported the records contained sensitive information on people, including their names and personal information such as citizenship, gender, date of birth, passport details, and no-fly list status. The exposed data also included the data identifier “TSC_ID,” which may have referred to a TSC watchlist identification number.
OIG found that DHS responded appropriately by immediately notifying the TSC and confirmed that DHS was not involved in the alleged incident. TSC reviewed the matter and notified DHS that the exposed data contained old screenshots of useless information.