Department officials also weren’t tracking who used the system or if they were sharing passwords.
The State Department’s consular division isn’t sufficiently protecting the data on a computer system it uses to analyze whether people seeking U.S. visas are being forthright about who they are and where they’ve traveled, according to an audit released Tuesday.
The division’s information security team also wasn’t regularly patching the system, scanning it for computer viruses or auditing for evidence about whether it had been compromised by hackers, according to the inspector general’s report.
The State Department system is partially populated with information from a Homeland Security Department system to track arrival and departure information for U.S. visa holders, but it’s transferred to a standalone system used by the consular section’s fraud prevention office, the audit said.
The fraud prevention office hasn’t written out adequate rules for who can view that information and when, according to the report. The office also isn’t keeping adequate logs of who accesses the information.
In some cases, fraud investigators were also sharing passwords to the system, the audit found.
In a follow-up management comment, the consular section said it agreed those information security issues need to be remedied. The section set a November 2018 deadline for fixing them.
Access to the Homeland Security system has been a major boon to the State Department and allowed it to reduce the average time to validate visas from days or weeks to just hours, the audit said.