IG Audit: FMCSA Systems Vulnerable to Hacking, Malware

Oleksii Didok/Getty Images

[Stay on top of transportation news: Get TTNews in your inbox.]

A new Department of Transportation Inspector General audit concludes that the Federal Motor Carrier Safety Administration’s information technology infrastructure is fraught with security weaknesses that are at risk for compromise by hackers and the placement of malware.

The audit, made public on Oct. 20, said the IG itself used “basic hacker technique” to gain unauthorized access to FMCSA’s network.

“We found several agency web servers which allowed us to gain unauthorized access to FMCSA’s network,” the audit said. “FMCSA did not detect our access or placement of malware on the network in part because it did not use required automated detection tools and malicious code protections.”

“We also gained access to 13.6 million unencrypted personally identifiable information records,” auditors said. “Had malicious hackers obtained this PII, it could have cost FMCSA up to $570 million in credit monitoring fees.”


The Inspector General said FMCSA’s core information system applications play an important role in support of the agency’s mission processes. The agency uses 13 web-based applications, to aid vehicle registration, inspections, compliance monitoring and enforcement. Many of FMCSA’s information systems contain sensitive data, including personally identifiable information.

“Until the department implements appropriate safeguards and countermeasures to protect its networks, the department and its operating administrations will continue to be at risk for a potential enterprisewide cybersecurity attack that could have a major impact on its mission,” the audit said. “Furthermore, the agency does not always remediate vulnerabilities as quickly as DOT policy requires. These weaknesses put FMCSA’s network and data at risk for unauthorized access and compromise.”

Asked for comment on the audit, an FMCSA spokesman referred a reporter to a letter written by FMCSA Deputy Administrator Meera Joshi outlining the agency’s response to the critical audit.



Joshi agreed that the IT systems “play a critical role in supporting the agency’s mission to reduce crashes, injuries and fatalities involving large trucks and buses.”

“FMCSA is committed to ensuring the security of its systems, maintaining the accuracy of data that the agency is mandated to collect, and protecting collected information from unauthorized access,” the letter said. “FMCSA notes that there have been no major incidents attributed to FMCSA systems.”

Joshi wrote that the agency has removed all personally identifiable information from a pre-production environment, performed a comprehensive review of the agency’s login credentials, migrated the responsibility for its IT infrastructure to the Departmental Office of the Chief Information Officer, and performed a comprehensive review of the login credentials associated with servers and applications.

The agency agreed with all 13 of the IG’s recommendations, but said it already has fixed only six of the recommendations. It said it planned to fix the remaining recommendations by November 2022.

FMCSA IT Infrastructure Final Report by Transport Topics on Scribd

But the IG said FMCSA’s security policies and processes must adhere to these departmental policies as well as guidelines from the National Institute on Standards and Technology. The compendium requires departmental system users to complete and sign the DOT Rules of Behavior.

These Rules of Behavior require users to:

  • Choose passwords that are at least 12 characters long and have a combination of letters (upper and lower case), numbers, and special characters.
  • Protect passwords and personal identification numbers for log-ons from disclosure, not record passwords or access control numbers on paper or in electronic form, or store them on or with DOT workstations, laptop computers or portable electronic devices.
  • Not provide any personal or departmental information solicited by email, forward to the appropriate DOT security help desk any email requesting such information or account or security settings verifications, and then delete the email.

Want more news? Listen to today's daily briefing below or go here for more info: