State Department's database vulnerabilities are nothing new

The State Department's vast database for processing visas, which has had its share of IT struggles, is back in the spotlight courtesy of an ABC News report that the database is vulnerable to hacking.

An internal study of State's Consular Consolidated Database revealed the system was at risk of being breached, according to the ABC News report, which cited anonymous sources at the department and on Capitol Hill. The CCD is a federation of several databases that holds 290 million passport-related records, 184 million visa records and 25 million records on U.S. citizens overseas, according to Ashley Garrigus, spokesperson for the department's Bureau of Consular Affairs.

The State Department is under constant siege from hackers trying to obtain sensitive government information, Garrigus said in a statement to FCW. However, she said, "there is no current evidence that a cybersecurity incident has occurred pertaining to the CCD."

Garrigus said the department cannot discuss the "specifics of our remediation efforts for vulnerabilities due to the sensitivity of that information."

A district judge last October sentenced twin brothers Muneeb and Sohaib Akhter for conspiring to hack into State Department computer systems to obtain passport and visa information. And the CCD has struggled at times over the last two years to run smoothly even for normal operations. A hardware jam last June ground the system to a near halt, while a software glitch took the system offline for three days in July 2014, disrupting travel for thousands of people around the world.

A former U.S. official familiar with the subject matter told FCW that recently completed software upgrades at the CCD will improve the security and reliability of the system, adding that more security-enhancing upgrades are on the way.

Nonetheless, the former official said, "one of the systemic ongoing challenges is the size of the system and the age of the software and the hardware" that form its backbone. Some of the foundational pieces of the CCD have "been around long enough for people to try to figure out how to hack them."

Any report of the CCD's vulnerabilities could mean a range of scenarios, the former official said, adding that one example could be a previously announced software patch that the State Department is just now applying.

"Any database anywhere in the world is a vulnerability," State Department spokesperson Elizabeth Trudeau said during an April 1 briefing. "However, the Consular Consolidated Database is constantly monitored [and] assessed."

FCW staff writer Aisha Chowdhry contributed reporting.