U.S. maritime agency found vulnerable to cyber hackers


Executives and staff at the agency responsible for protecting the health of the U.S. domestic maritime industry are vulnerable to cyber hacking that could cause the agency “serious public embarrassment,” a government watchdog has found.

A report made public today (July 26) by the U.S. Department of Transportation Inspector General (DOT OIG) revealed that “malicious attackers” could have obtained records and stolen the identities from 13 executives and staff who recently joined the U.S. Maritime Administration (MarAd), potentially costing the agency $103 million in credit monitoring fees.

The report outlines how OIG auditors were able to gain unauthorized access to MarAd’s network, in part because the agency did not have a government-recommended alert system able to detect intruders. “We also gained access to records containing PII [personally identifiable information], the report states. “While DOT policy requires the use of encryption to protect sensitive data, these records and other data we obtained were not encrypted.”

The OIG report notes that a DOT official could not explain why employees did not encrypt sensitive information given that the information security awareness training they received included a section on the protection of sensitive information. “This official also could not explain why administrators had not applied least privilege controls to the MarAd service account we accessed,” according to the report.

“The same official acknowledged that users were not following DOT policy and security awareness training to adequately protect passwords. The official informed us that [DOT’s Office of the Secretary] is transitioning to the use of personal identification verification cards for network and facility access. MarAd’s lack of adherence to DOT policy on encryption, use of least privilege, protection of PII, and password storage creates a risk for unauthorized access to MarAd” and other information, the report affirmed.


SHIP IP LTD – Remote internal/external Vulnerability &

Penetration Testing



Maritime Vulnerability and Penetration Testing


Source: freightwaves