WASHINGTON — A State Department passport record system that holds personal data on more than 120 million Americans is wide open to abuse and unable to prevent or detect unauthorized access, investigators said Thursday.
The review by the department's inspector general was ordered after revelations in March that State Department employees and contractors had accessed the files of presidential candidates Hillary Clinton, John McCain and Barack Obama.
The IG report found a much broader problem.
Investigators surveyed the records of 150 high-profile Americans, whose names were selected from Forbes and Sports Illustrated magazine lists and Internet search engine Google's most-searched names.
Of the 150 — who weren't named in the report — 127, or 85 percent, had had their passport files accessed a total of 4,148 times, strongly suggesting attempts at unauthorized access.
"The system is unable to protect itself," said one State Department official, who requested anonymity to speak more freely. "Anybody can go in."
State Department officials disclosed Thursday that two more contract employees have been fired for accessing passport records without authorization, in addition to the three who were terminated after the March disclosures.
The database, known as the Passport Information Electronic Records System, was installed in 1999. It includes records on 192 million passports held by 127 million U.S. citizens, including data such as Social Security numbers, dates and places of birth, and passport numbers.
Investigators said they were unable to determine precisely how many individuals had access to the system or how many breaches had occurred.
The inspector general "found many control weaknesses — including a general lack of policies, procedures, guidance and training — relating to the prevention and detection of unauthorized access to passport and applicant information," says the report, which was released in heavily redacted form.
It also criticized "the subsequent response and disciplinary processes when a potential unauthorized access is substantiated."
The review found that about 20,500 people have access to the system. Of those, more than 8,000 are outside the State Department at such agencies as the Department of Homeland Security, the FBI and the Office of Personnel Management.
It said the State Department didn't have in place many of the controls implemented by agencies such as the Internal Revenue Service and Social Security Administration that maintain databases containing sensitive personal information.
For example, it said, an alert is triggered at the IRS when a user attempts to access the tax records of a relative or neighbor.
Officials in the State Department's Bureau of Consular Affairs, which oversees the passport system, didn't dispute the report's findings and pledged to implement 19 of its 22 recommendations.
Secretary of State Condoleezza Rice pledged to get to the bottom of the problem when it surfaced in March, and made apologetic phone calls to Clinton, McCain and Obama.
Department officials said they'd greatly expanded the list of high-profile citizens whose passport files generated alerts when they were accessed, from 38 in March to more than 1,000 today.
They said they'd also disabled all inactive accounts in the Passport Information Electronic Records System.
A separate investigation into the unauthorized access of the presidential candidates' passport records continues, said Tom Burgess, a spokesman for acting Inspector General Harold Geisel.