It hasn’t been a good week for the Department of Homeland Security (DHS) or the Transportation Security Administration (TSA). On Sunday, news of an improperly redacted airport screening manual began to circulate the Web. By Tuesday the story had hit mainstream media and the evening news. And by Wednesday, Homeland Security Secretary Janet Napolitano was telling members of the US Senate Judiciary committee that DHS and TSA were taking steps to ensure such a leak doesn’t occur again.

Secretary Napolitano downplayed the leak’s severity, but as CBS News correspondent Bob Orr points out in the video, the document contains lots of sensitive information, such as:

  • How walk-through metal detectors are calibrated
  • Pictures of the badges and ID cards used by the ATF, CIA, Federal Air Marshals, and members of Congress
  • Items which aren’t required to be screened (wheelchairs, prosthetic devices, etc.)
  • Special treatment for foreign dignitaries
  • Those countries whose travelers are always subject to extra screening

To make matters worse, this leak wasn’t the work of cyber spies. No. A redacted version of the document was intentionally posted on a government Web site as an Adobe PDF file. Unfortunately, the individual who created the file merely placed black boxes over the sections to be redacted. The hidden text was left within the document. To view the text, individuals needed only copy the text around and under the boxes and paste it into another word processor.

While it’s too late to undo any damage caused by the release of this document, the event should serve as a warning to all organizations and IT departments that handle sensitive information. Electronic documents often store hidden information (metadata) that isn’t immediately visible when viewing the document on a computer or printing it. All employees responsible for releasing, publishing, or transmitting documents with sensitive information should be thoroughly trained on the existence of and proper way to remove metadata. In fact, we wouldn’t be having this discussion if the TSA employees involved here had followed the National Security Agency guidelines on redacting information from Microsoft Word of Adobe PDF files.

I encourage all IT departments to remind the individuals you support about the dangers of hidden metadata and the proper way to remove it.

Here are some additional resources from TechRepublic and others to help your users remove sensitive content from electronic documents:

More on the leaked TSA document: