TAMPA — A consultant working to upgrade Tampa International Airport’s computer system last year caused concern among some airport employees about a potentially serious security breach because he shared his user name and password with 19 people in foreign countries.
Former and current employees warned airport managers that sensitive information, including employee Social Security numbers and a secured list of people on a federal terrorism-related no-fly list, could have been accessed.
An investigation by the Hillsborough County Aviation Authority and an audit by an outside security consultant concluded that although user names and passwords were shared, those involved in the software upgrade did not have access to the authority’s entire computer network. The security consultant, though, was “unable to determine specifically what data may have been transferred.”
Airport officials said in an email Friday that “we firmly believe that no information, that no sensitive personal information or information that poses a threat to the safety of anyone was compromised.”
The information technology consultant, Gautham Sampath, who told airport authorities he shared his log-in information with people helping him upgrade the airport’s computer software, resigned his $120,000 job during the investigation, and IT Director David James, who made a salary of $139,000, also resigned.
Two other employees — at least one had expressed concerns to supervisors over a potential security breach — quit. Don Haire, a nine-year employee in the airport’s IT department, reached a confidential settlement with the Aviation Authority. His attorney said he would not comment for this report.
❖ ❖ ❖
The investigation determined that dozens of times in 2015, people logged in to the Aviation Authority system using the same user name and password issued to Sampath from places including India and the United Arab Emirates.
Neither the allegations nor the conclusions from the investigation have been discussed at the Aviation Authority’s public board meetings. The Tampa Tribune was denied interviews with airport CEO Joe Lopano and Aviation Authority attorney Michael Stevens, with an airport spokesman saying they were unavailable for comment.
Airport spokeswoman Janet Zink said Aviation Authority board members were briefed individually about the six-month investigation and issued copies of the audit when it was completed in January.
In an email to the Tribune, the airport said the investigation was not shared with the Transportation Security Administration, which oversees security at all U.S. airports, or with the Federal Aviation Administration or any other agency because it was not required.
❖ ❖ ❖
The Tribune received a copy of a letter by mail this week, dated Jan. 25, from labor and employment lawyer Phyllis Towzey written to Aviation Authority Human Resources Director Dominic Marcone stating that Haire, her client, was seeking severance because he no longer could work in the stressful environment surrounding the investigation. Haire alleged he was being treated badly at work because managers thought he was a whistleblower in the case.
Authority officials denied Friday that Haire ever was treated improperly. They also denied that management did not immediately address the concerns employees brought forward. “The investigation (was) begun immediately, led by Director of Internal Audit and Director of Ethics, Diversity and Administration in accordance with” board policy. Additional information was brought forward by employees in October.
Towzey, in the letter, said Haire’s concerns involved “unauthorized remote VPN access into the Aviation Authority’s network by various suspicious people who allegedly were working on a project” and shared user names and passwords among staff and contractors throughout the U.S. and overseas. Haire alleged that potentially exposed confidential information.
❖ ❖ ❖
Aviation Authority Chairman Robert Watkins said Friday he believes the matter was handled appropriately and smartly by the airport staff and that new security measures to prevent log-in sharing address the issue wisely.
“I am aware there was a breach. The board received a briefing from Joe Lopano by email on that, and I was satisfied they were handling it correctly and taking appropriate action,” Watkins said. “I’m not concerned they are not going to do exactly what should be done.”
As to whether it should have been brought up in a public meeting, he said he did not believe that was necessary.
Board member Victor Crist, who also is a Hillsborough County commissioner, said he had planned to bring the matter up at a board meeting but was asked to hold off until after the investigation. The investigation was completed in January. He has never brought it up.
The board’s newest member, retired Brig. Gen. Chip Diehl, said he had not been briefed on the investigation. Other board members did not return phone calls for comment.
Among security measures put in place as a result of the investigation: Employees may only log in to the Aviation Authority system on an employer-issued device, and a log-in may only be used by one person at a time. Prior to the new security measures, employees could log in using their personal computers. There also are limits on how long an employee may be logged on to the system.
“We feel comfortable that the Aviation Authority assets and information was safe,” Zink said, “and steps have been taken to ensure that in the future.”