"Clear" Air-Travel Pass Data Stolen From SFO 379
Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."
What was that info doing on a laptop? (Score:5, Informative)
What was that info doing on a laptop? That in itself is very suspicious. Nobody should have a full list of the "approved people" outside of an database where each access is logged. That's info a terrorist group would want. It gives them a list of people who won't be searched. Those are the ones to exploit to get something past security.
The laptop disappeared from a locked room at an airport. This wasn't an ordinary laptop theft. TSA has to assume that the database is now in hostile hands. So now everyone with a "Clear" card should be subjected to extra searches.
Let's check out the "Clear" privacy policy [flyclear.com]. "Clear and its subcontractors, pursuant to legal agreements, have a comprehensive information security program to ensure the privacy of Clear applicants and members as well as the integrity of our systems. We apply ID's and passwords to insure that access to systems and data is only on a need-to-know basis. We use encryption (a strong data coding process) for all program sensitive data communications." ... "In the highly unlikely event that a member is the victim of identity theft (defined as the taking of a member's personal information so that fraudulent transactions are made in the member's name) that is the result of any unauthorized dissemination by Clear or its subcontractors, or theft from Clear or its subcontractors, of the member's personal data collected by Clear, we will reimburse the member for any otherwise unreimbursable monetary costs directly resulting from such Identity Theft. In addition, Clear will, at its own expense, offer any such member assistance in restoring the integrity of the member's financial or other accounts." ... "Clear has appointed an independent, outside Privacy Ombudsman, Law Professor Paul Schwartz [paulschwartz.net], noted privacy expert and advocate. He will be identified to members as the person to contact if a member has a privacy complaint or privacy problem with administration of the Clear system or fidelity to our published Privacy Policies. The Independent Privacy Ombudsman is empowered to investigate all privacy complaints, gather the facts, and respond to members, as well as to post responses publicly and prominently on our website."
Yet there's no announcement of the security breach on the Clear web site.
Current Consumer Reports Magazine (Score:4, Informative)
See page 32.
Re:That's okay... (Score:5, Informative)
a security audit does not require you to give up your logins / passwords, if it does you're likely being social engineered.
Re:Good write up (Score:2, Informative)
Oh Please (Score:5, Informative)
Having worked the contractor side of Identity projects, I promise you the story as provided in the summary is the working norm.
Unsecured computers in the field with live identity information? Check.
Multiple copies of identity information floating around? Check.
Many **totally** unaware employees in the field with private data? Check.
Many **totally** unaware employees at the contractor's office passing private data? Check.
It boggles my mind anyone would believe it's better than that. The contractor suffers no consequences and the burden falls on the individual.
Which, is why the rules, regs, and standards for handling private information is ***perfectly*** designed in the U.S. Not that any of you would get off your collective asses and do anything to change it.
Re:Skeptical (Score:2, Informative)
Wrong. Running around and being sloppy means nothing because no matter how "corporate" laptop is, it does not store any copies of any sensitive information. The person carrying the laptop is no more allowed access to such records, than any other.
Please give me ANY reason why and how a corporate employee with a laptop, however sloppy he or she is, should be carrying a copy of 33k of personal records with him, regardless of what company he works for, his position in the company and the type of computer.
There is a chance such access is required on a humans part, but not in security area. A person I know close was working as a translator for the refugees in a European country. The information refugees gave that made them eligible for asylum was to remain strictly confidential, but since she had to translate this information to the government authorities on behalf of the refugees, and since she did translate it, it all went through her head and thus was potentially leaked, as it was entirely up to her to occasionally recall and reveal all kinds of intimate details on these refugees to her friends and what not. Which she did, occasionally. That's sloppiness.
I find it funny that when it comes to money, most respectful banks realized it long ago that true security should exclude human interaction altogether, and try to replace parts of the system where human hands are due with electronics.
Time to value privacy and offer it the same kind of recognition.
CLARIFICATION, breach was limited. (Score:5, Informative)
This is from Clear customer support: consider the source and apply the appropriate amount of salt.
The only personal information that was compromised was for people who were in the midst of the application process. If you are already enrolled and have received your card, your personal info was not in the laptop that was stolen.
At this point, Clear is not planning to notify existing members that their personal info was not stolen. However, I strongly suggested that they rethink that policy, and notify all members of the extent of the breach. The news story quoted in this article doesn't make the distinction between pending applications and enrolled members.
Re:Security theatre (Score:4, Informative)
I haven't made it far through the article, but it's good so far...
It's a great analysis of the issues, laying out what the heck privacy really is, anyway.
Re:Security theatre (Score:4, Informative)
The company in question was founded by Steven Brill who founded CourtTV and American Lawyer magazine.
He is from NY state and is a solid Democrat from what I can tell (according to his campaign contributions).
Re:Get rid of these bozos NOW! (Score:2, Informative)
Re:Security theatre (Score:2, Informative)
You must be one of those morons who talks up private enterprise, but then conveniently forgets that corporations are not the only kind of business.
Let me spell it out for you, as I would to a child:
Corporation fucks up, you kill the corporation. IBM Corporation becomes IBM the private business. The investors get their money (whatever they can) and cash out, or they are private owners of the company. Tough to be them, they should have demanded responsible business practices. Now they're going to be held accountable as owners.
The company then loses all corporate status. It's a private company. If you're going to break the law, then you cannot get the blessing of the government as a corporation.
Remember, corporations exist only because the government says they exist. Suck on that.
Re:Security theatre (Score:1, Informative)
Just a point of clarity; The Democrats are not "in control" of Congress. They have a slight majority in the House. To be in control, you need a 2/3rds majority in the House and Senate so you have enough votes to halt parliamentary procedures, force votes, and over-ride vetoes.
From the perspective of a Clear user... (Score:3, Informative)
I work in DC, and live in Jacksonville, FL, and I normally travel back to the District on Monday mornings. i was stunned to see how long the security lines were at Jax International, even at 6:15 in the morning, and with a full slate of TSA scanners and personnel on the job.
There is nothing like being able to walk past a line of three or four hundred flyers, skip right to the head of the line and be at the gate with enough time to hit the head and grab a coffee. I have zero stress when flying now.
That being said, I'm certainly upset about the laptop theft, and the "inside job" theories might have some truth to them, considering this was supposed to be in a locked office. I don't necessarily buy the "stolen to order' conspiracies, but it is worrisome. I'll continue to do what I always have - monitor all my accounts, credit reports, etc. and hope this gets solved in a quick and reasonable fashion.
As for the necessity to hand over a lot of private information, let me explain what the procedure is:
When you apply for a Clear card on line, you provide the same information, initially, that would would ordering a product: name, address, phone, and a credit card for the screening fee only ($28 which goes to the TSA). Part of the on-line application process is providing your SSN. In this care, it's a necessary evil, since Clear has to access information only you would know. I would assume they're getting this off credit reports or public records. You answer three or four questions, and if the answers are satisfactory, you move on to the next step. You print out a document with a registration number.
That step requires an appearance, in person, at the local airport with the Clear service counters. They check your registration, and you have to provide two forms of identification. One can be any government-issued picture ID. The other, however, must be a government-issued birth certificate or a valid passport. I tried to use a birth certificate issued by the hospital where I was born in 1955, but they refused to accept it. This required me to order a new BC from the state where I lived, and finsish the process another day.
Once that's finished, you stand at a kiosk and have all your fingerprints and one iris scanned. They save two or three of the fingerprints and the iris, and the data from both are eventually encoded into the chip on the smart card they issue you.
The wait for the card can be nearly a month.
As protective as I am of my privacy, I really didn't have a lot of issues with what I had to do to get this. I am an IT contractor and former federal employee, and I have a high security clearance. I had to give up a lot more during that investigation, including having family, friends and neighbors interviewed about my character. Since this is a requirement of the job, I have nothing in my past to hide, and it means a much higher salary, I'm not going to raise too much of a stink.
Clear, on the other hand, didn't get anything from me that isn't easily available (or steal-able) to anyone with a few dollars and a couple of private detectives on the Rolodex. Go to one of these "free credit report" sites and request to see what's on that thing. You have to answer some of those questions I mentioned before, and what they have is pretty interesting, and deep.
I'd be lying if I said this laptop theft doesn't worry me. I have the feeling that the idiot who stole it probably won't even look on the damn thing, and it will turn up, drive slicked, in some pawn shop.
In the meantime, I'll keep a close eye on everything sensitive (I get lots of practice at work).
And I'll still be jumping the line at the airport.
The laptop has been found (Score:3, Informative)
(08-05) 11:59 PDT San Francisco, CA (AP) --
The company that runs an airport security prescreening program says they've found a laptop containing the personal information of 33,000 people more than a week after it apparently went missing.
...