Shortly after the U.S. Department of Transportation (DOT) announced in late October that an internal audit found vulnerabilities within computer servers at the Federal Motor Carrier Safety Administration (FMCSA), the Small Business in Transportation Coalition (SBTC) issued an alert of its own.
In a document sent to the Federal Bureau of Investigation (FBI) on Nov. 1, SBTC Executive Director James Lamb said the recent USDOT Office of Inspector General’s (OIG) audit of the FMCSA’s systems overlooked several key problems. Lamb also sent a letter of concern to the U.S. Office of Special Counsel.
“On October 24, 2021, I reported ongoing daily data breaches at FMCSA to the Bureau’s New York Field Office and have been forwarding information via email to them the past few weeks. I am now writing to memorialize my report to the Bureau,” Lamb wrote in his letter to the FBI.
Lamb also noted that, through the services of a private investigation firm, the SBTC determined in March 2019 that the FMCSA’s systems were being breached through unauthorized access of the agency’s law enforcement officer user portal.
“As FMCSA knows, this is the only way a third party can obtain a carrier’s phone number and email address in real time minutes after FMCSA’s system issues a USDOT Number,” Lamb wrote.
Lamb further wrote that “Only the LEO (law enforcement officer) tool affords this level of access, which we believe means either these third parties have registered as LEOs under false pretenses to acquire unauthorized access or they are bribing actual LEOs to use their bona fide credentials.”
Lamb contends that the government has ignored the SBTC’s “evidence we supplied from a duly licensed private investigative firm that concluded unauthorized disclosure of (personal, private information) has indeed happened and continues to happen. On. A. Daily. Basis. [sic]”
Lamb added: “By knowingly allowing the intrusion to go on for years, we contend the FMCSA has violated its legal obligation to protect citizens’ (personal, private information) and has negligently disseminated industry’s PII by failing to admit to and terminate the breach in the hopes this will go undetected so they don’t have to deal with the fallout.”
FMCSA spokesman Duane DeBruyne deferred questions from The Trucker to a DOT document outlining the internal audit. The DOT has also initiated an audit of the Federal Highway Administration’s (FHWA) information technology infrastructure.
For its part, the DOT said the internal investigation at the FMCSA found multiple critical vulnerabilities on web servers that function within that agency. Those servers contain a “mountain” of personal and sensitive data, the DOT report noted.
“FMCSA did not detect our access or placement of malware on the network in part because it did not use required automated detection tools and malicious code protections,” the DOT report stated.
“We also gained access to 13.6 million unencrypted (personal identity) records. Had malicious hackers obtained (these records) it could have cost FMCSA up to $570 million in credit monitoring fees,” the report noted. “Furthermore, the agency does not always remediate vulnerabilities as quickly as DOT policy requires. These weaknesses put FMCSA’s network and data at risk for unauthorized access and compromise.”
The FMCSA uses 13 web-based applications to aid vehicle registration, inspections and other activities.
The DOT said it recommended 13 different points of action that FMCSA officials need to take to better secure the agency’s information.
“We consider all 13 recommendations resolved but open pending FMCSA’s completion of planned actions,” DOT officials said.
On Nov. 3, the Federal Highway Administration (FHWA) announced that it was conducting its own cybersecurity check.
Several drivers The Trucker spoke with about the issue were hesitant to comment. On The Trucker Facebook page, Robin Simmons said she recently received a letter from J.B. Hunt saying that her Social Security number and other information had been compromised.
Jeff Pearson said: “We never had that problem before computers … maybe they should go back … to the old way.”
Russ Robinson said: “So you put out the information that they are vulnerable to hackers, so the hackers can know that they are vulnerable to being hacked? When do the hackers begin hacking the hackable?”
The revealing of FMCSA’s vulnerabilities comes at a time when cyberattacks on government agencies, private entities and businesses are on the rise.
In the trucking industry, Marten Transport announced in late October that its systems had fallen victim to a cyberattack. Based on a preliminary assessment, Marten officials said they do not believe the incident will have a material impact on its business, operations or financial results.
Most Americans say they have serious concerns about cyberattacks on U.S. computer systems and view China and Russia as major threats, according to a new poll.
The poll, conducted by The Pearson Institute and The Associated Press-NORC Center for Public Affairs Research, shows that about nine in 10 Americans are at least somewhat concerned about hacking that involves their personal information, financial institutions, government agencies or certain utilities. About two-thirds say they are very or extremely concerned.
Roughly three-quarters of respondents believe the Chinese and Russian governments are major threats to the cybersecurity of the U.S. government, and at least half also see Iran — both government and non-government bodies — as threatening.
Several high-profile ransomware attacks and cyber espionage campaigns in the past year have compromised sensitive government records and led to the shutdown of the operations of energy companies, hospitals, schools and more.
The explosion in the last year of ransomware, in which cybercriminals encrypt an organization’s data and then demand payment to unscramble it, has underscored how gangs of extortionist hackers can disrupt the economy and put lives and livelihoods at risk.
One of the cyber incidents with the greatest consequences this year was a ransomware attack in May on the Colonial Pipeline, the nation’s largest fuel pipeline, which led to gas shortages along the East Coast. A few weeks later, a ransomware attack on the world’s largest meat-processing company disrupted production around the world.
Victims of ransomware attacks have ranged from key U.S. agencies and Fortune 500 companies to smaller entities such as the city of Leonardtown, Maryland, which was one of hundreds of organizations affected worldwide when software company Kaseya was hit by ransomware during the Fourth of July weekend.
“We ended up being very lucky, but it definitely opened our eyes that it could happen to anyone,” said Laschelle McKay, the town administrator. She said Leonardtown’s IT provider was able to restore the town’s network and files after several days.
The criminal syndicates that dominate the ransomware business are mostly Russian-speaking and operate with near impunity out of Russia or countries allied with Russia, according to reports from the U.S. government and other agencies. The U.S. government has also blamed Russian spies for a major breach of U.S. government agencies — an incident known as the SolarWinds hack, so named for the U.S. software company whose product was used in the hacking.
China has also been active. In July, the Biden administration formally blamed China for a massive hack of Microsoft Exchange email server software and asserted that criminal hackers associated with the Chinese government have carried out ransomware attacks and other illicit cyber operations.
“The amount of Chinese cyber actors dwarfs the rest of the globe, combined,” said Rob Joyce, the director of cybersecurity at the National Security Agency. “The elite in that group really are elite. It’s a law of large numbers.”
Both Russia and China have denied any wrongdoing.
The Associated Press contributed to this report.
Born in Pine Bluff, Arkansas, and raised in East Texas, John Worthen returned to his home state to attend college in 1998 and decided to make his life in The Natural State. Worthen is a 20-year veteran of the journalism industry and has covered just about every topic there is. He has a passion for writing and telling stories. He has worked as a beat reporter and bureau chief for a statewide newspaper and as managing editor of a regional newspaper in Arkansas. Additionally, Worthen has been a prolific freelance journalist for two decades, and has been published in several travel magazines and on travel websites.