Maybe I’m too much of a softie, but sometimes I find myself looking for ways to forgive some companies for embarrassing data breaches that expose our data to thieves.

But it’s hard to forgive an organization like the Transportation Security Administration (TSA) whose entire focus is supposed to be on security and yet they still mess it up.

The Seattle Post recently ran a great article on a TSA mess up that went largely unreported, despite a Congressional enquiry. It’s a long and slightly complicated story, but in a nutshell the TSA contracted to a small web design company in Seattle to create and manage an external web site where consumers could challenge their inclusion on the controversial “no fly” list.

Well, it turns out that neither the TSA nor the contractor knew or cared very much about security. Apparently there was little protection in place for any of the sensitive data, like home address and even Social Security numbers, that consumers were required to provide to the web site. Apart from the fact that such highly sensitive projects should never be handed over to small inexperienced businesses, the security mistakes made by the web design firm are unforgivable.

An investigation uncovered the fact that the contract was a no-bid type where only the chosen contractor could participate. And that unusual approach to selecting contractors for highly sensitive projects might have been because the individual at the TSA responsible for leading the project was not only a good friend of the contractor, he had actually worked for the contractor.

Despite the mess-up, the investigation, and the very questionable practices by the TSA, the TSA decided that no action should be taken. The contractor was never punished and continues to get work from the TSA. And the TSA didn’t even think its own employee needed to be reprimanded.

When this is the type of security stupidity we can expect from one of the nation’s top security agencies, what hope have we?