Private contract employees working at the U.S. Department of State have repeatedly accessed U.S. Senator Barack Obama's passport records over the past three months -- a breach flagged by the State Department's in-house computer system but subsequently downplayed by the supervisors of the offices in which the breaches occurred.
Two of those workers have since been fired by their employers, the Obama campaign is seeking answers as to how it happened, and a broader investigation is in the works.
The actions of these three separate workers, employees of two different contractors, were described by State Department spokesman Sean McCormack as "imprudent curiosity." But he said that is only an "initial finding" and said the department's inspector general has been asked to investigate. The details came out in a late night, hastily called press conference.
McCormack said the department "is not being dismissive of any other possibility," meaning that it hasn't closed the door to motives other than simple curiosity.
None of the people or employers have been identified. A third contractor was disciplined, but hasn't been fired for viewing the records and is reputed to still be contracted for State Department work.
The breaches happened on Jan. 9, Feb. 12 and March 14, but senior State Department officials weren't aware of them until a reporter sent an e-mail query to the department's press office on Thursday.
In explaining what happened, the department also provided details about how its security monitoring system works to protect record privacy. But it's a system that identifies breaches after the fact.
The state department has "strict policies and controls" to passport records, said McCormack. Employees and contractors are trained on the use of the system, and each time an employee logs on to the system "he or she acknowledges that the records are protected by the Privacy Act and they are only available on a need to know basis."
"In each of these three cases the system that was set up to detect any authorized access of these kinds of records worked -- these unauthorized accesses were detected by the state department and immediately acted on," said McCormack.
Undersecretary Pat Kennedy said some records have "what computer people call flags -- we put flags on certain records that trigger a report to a supervisor that the record has been accessed," he said.
Not all 18 million passport records have flags, said Kennedy. The department's Bureau of Counsel Affairs determines what records to flag, he said.
For those records that aren't flagged, Kennedy described a system -- part of an IT upgrade several years ago -- that appears to have business intelligence capability. As Kennedy explained it, there are "other patterns of activities" that are used to determine whether a record has been accessed inappropriately.
Related content:
Passport Online breach adds to privacy chief's audit list
Security feature: Getting defensive
Privacy experts push for breach law