Security gaps found in State Department travel database

A crucial State Department database used to vet travelers to and from the US has gaps in its security that cyber defense experts think could have allowed hackers to either alter or steal visa information, said a report.

“We are, and have been, working continuously… to detect and close any possible vulnerability,” State Department spokesman John Kirby said in a statement to ABC News, who first broke news of the database flaw.

The discovery was made several months ago, after the State Department commissioned an internal review of its cyber-defenses, and found it was at risk of being compromised according to sources who spoke to ABC News. They say that no breach was detected, however.

Officials were concerned the security gap could help foreign nations plant spies in the US, or be exploited by Islamic State (IS, formerly ISIS/ISIL), which has expressed interest in subverting the visa system.

The sensitive information is contained in the Consular Consolidated Database (CCD), one of the world’s largest biometric repositories with half-billion records. It includes information about almost everyone who has applied for a US passport or visa in the last 20 years and contains photographs, fingerprints and Social Security numbers.

The vulnerability would be difficult for hackers to exploit, because they would have needed the “the right level of permissions” within the system, which officials said was a tough task. The State Department views it as the “lowest threat category.”

The security gap was made know to high-level officials across government and sparked concerns that adversaries could have altered information used to approve or reject via applications.

In 2015 alone, the State Department denied more than 2,200 applications from people with “suspected connection to terrorism,” Lev Kubiak, a senior Homeland Security official, told lawmakers last month, according to The Hill.

Thousands of temporary farm workers and tourists were left stranded last year when the State Department announced a hardware problem that halted the issuing of visas for two weeks. A spokesman for Foggy Bottom told reporters at the time that more than 100 experts from both public and private sectors were trying to fix the problem.

The hardware failure had affected the system that carried our security checks on visa applications, halting work at 235 consulter posts. A central database wasn’t receiving biometric information that included fingerprints from US consulates worldwide. The problem was not attributed to a cyber-security attack.

READ MORE: US visa database backlog creates global backlog

In 2014, American visas literally became unobtainable in consulates worldwide for nearly two weeks, as IT specialists struggled to fix the State Department’s consular database.

That problem turned out to be “a combination of software optimization and hardware compatibility issues,” according to Marie Harf, the State Department’s deputy spokesperson at the time.

In March 2009, the Government Accountability Office (GAO) conducted an undercover investigation into visa and passport vulnerabilities, obtaining four genuine US passports by using counterfeit or fraudulently obtained documents, such as birth certificates and drivers’ licenses, and the Social Security numbers of fictitious or deceased individuals.

“In the most egregious case, our investigator obtained a US passport using counterfeit documents and the SSN of a man who died in 1965,” the GAO report said“In another case, our undercover investigator obtained a US passport using counterfeit documents and the genuine SSN of a fictitious 5-year old child – even though his counterfeit documents and application indicated he was 53 years old.”

The GAO also said many of the problems identified in a 2007 probe still persisted, and concluded “more need to be done because of the critical role acceptance agents play in establishing the identity of passport applications, which is critical to preventing the issuance of genuine passports to criminals or terrorist as a result of receipt of fraudulent application.”