Security holes found in State visa database: report

Security holes found in State visa database: report
© Getty Images

A crucial State Department database used to vet travelers to and from the U.S. had gaps in its security that could have allowed hackers to either steal or edit visa information, according to a Thursday report.


The recently discovered vulnerability — which has been repaired, according to one agency official — was considered a risk because it could have helped foreign nations plant spies in the U.S. and because the Islamic State in Iraq and Syria (ISIS) has expressed interest in exploiting the visa system, sources told ABC News.

Supporters of the State Department have sought to downplay the risk, emphasizing that no breach had been detected.

“[We] view this issue in the lowest threat category,” the agency official said.

“We are, and have been, working continuously ... to detect and close any possible vulnerability,” State Department spokesman John Kirby said in a statement to ABC.

State Department sources also said that the vulnerability in question would have been very difficult for hackers to exploit. In order to edit any information in the database, they would have to obtain “the right level of permissions” within the system, which officials said is a tough task.

The sensitive information is contained in the Consular Consolidated Database (CCD), one of the world’s largest biometric repositories. It includes information about almost everyone who has applied for a U.S. passport or visa in the last 20 years and contains images, fingerprints and Social Security numbers.

The vulnerability, made known to high-level officials across government, sparked concerns that adversaries would alter the information used to approve or reject visa applications.

In 2015 alone, the State Department denied more than 2,200 applications from people with a “suspected connection to terrorism,” a senior homeland security official told lawmakers last month.

Some government sources are unconvinced that the problem has been fixed.

“Vulnerabilities have not all been fixed,” one congressional source said. “There is no defined timeline for closing [them] out."