"Clear" Air-Travel Pass Data Stolen From SFO 379
Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."
Security theatre (Score:5, Interesting)
To have a company intimately involved with *security* not apparently able to manage their own security in a manner that protects the country and their customers is a joke. Fine... having a laptop stolen is common enough and I don't fault them, but having unencrypted data of 33,000 of your customers on that laptop is a crime.
I never liked the idea of handing over private information in the security theatre that our nation has become, but events like this where private companies motivated by the lowest common denominator really get under ones skin. Why the data was stored in unencrypted formats is inexcusable. I don't know what the penalty should be for something like this, but it should be commensurate with the potential damage it could cause.
The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently. When the government then has to police these private companies like the TSA is apparently having to now do, the concept is made moot. So.... our options are to continue to live the security theatre with private companies like this or turn the job back over to the government (who's job it to ensure safety of travel and should not have been in the business of verifying identity for air travel anyway).
Or... we could go back to the way things were when I could carry pocket knives on planes. (I also remember when you could carry long guns on planes back in the late 80's/early 90's.)
This doesn't surprise me very much... (Score:2, Interesting)
The thing is, though, they're only encrypting the new tablet PCs we just bought, not the older Thinkpads we used - And the database is imported from the web, which means the unencrypted laptops contain the same data the encrypted ones do...
I have a feeling we'll see even more of these in the near future.
How does this system improve security, anyway? (Score:5, Interesting)
Assuming this system allows them to reliably identify a person, so what? Do they do extensive background checks and continuous monitoring to ensure that the people aren't involved in terrorism? Or if I have no obvious problems in my background and enough money to pay for it, can I get treated differently too?
Does it basically come down to people paying to not have to stand in line with the rest of humanity at the airport?
Skeptical (Score:5, Interesting)
I'm becoming quite skeptical about this whole 'stolen laptop' B.S. After the first few big news stories, I'd expect most corporations to have strict guidelines in place to prevent this sort of thing. And a policy of coming down hard, very hard, on violators.
I wonder how much one can get per personnal record for selling this sort of data to organized crime. And cover your ass by reporting a stolen laptop.
Kind of a coincidence (Score:3, Interesting)
NOW?... (Score:3, Interesting)
NOW? They're NOW deciding that it might be a good idea to encrypt the data? Ok, I don't work in the industry and all but even I, as an uneducated outsider, knows that it's a good idea to encrypt that sort of data. Jebus... That should have been one of the first priorities in developing their systems and procedures...
Re:Jailtime (Score:3, Interesting)
Back up there. For all you know, there were people within the company who were calling for proper security controls but were ignored. That's certainly what happened at my last job: our IT team continually raised the subject of full-disc encryption on laptops and we were continually ignored, right up until a laptop with a demo version of our software was stolen from a trade show. Apparently that was high-profile enough that the board of directors finally woke up and ordered full-disc encryption for every laptop, although of course by then it was too late.
Re:Security theatre (Score:5, Interesting)
I've Got Nothing to Hide and Other Misunderstandings of Privacy [ssrn.com]
Re:Security theatre (Score:3, Interesting)
Corporate Death Penalty! It's an option that is seldom used, but should be used more and more.
When corporations break the law and are found guilty, their existence as corporations should be ENDED.
Re:Security theatre (Score:1, Interesting)
When a company makes others vulnerable to identity theft by not securing our most personal data, I've always thought that the appropriate punishment would be to allow each person affected to walk into any office of the company and take any one item from the company. This would give the company a very similar risk for the loss of this data as we have by making them suffer a potential loss of unknowable size which is exactly the same risk you have when your identity is stolen. When the risks are not equalized, the company has no real benefit from protecting the data of the customer because the company suffers very little when the data is compromised.
Re:What was that info doing on a laptop? (Score:1, Interesting)
Mod parent up.
Another thing - suppose this laptop is recovered, and someone has added some names and data to the DB - ones that can be later used as covers?
Re:How many times does this need to happen (Score:3, Interesting)
Well, not only that, but shouldn't that laptop have a tracing program on it? One of those services that helps you find the stolen laptop?
A new security industry created by the government's drive to snoop in all our lives has proven exactly why no one is to be trusted with your ID info. period. Makes you wonder who the real terrorists are? Bin Laden must be laughing his last lung out.
The weakest link in your security is always a human and since humans work for the NSA, DHS et al, there is NO reason to trust them with anyone's data never mind your own.
Before 9/11 this would not have happened because this business would not have existed. There is no justification for it's existence that makes any logical sense at all.
Re:Security theatre (Score:5, Interesting)
That's only true in the very last stage of bidding on government contracts. The key is to have the requirements written "properly". I put the last word in quotes because every contractor wants their special value-add to be made a requirement of all bid requests-- that way they're always cheapest and win the final bid. By the time the final wording is written into any request for proposals, the winner is usually no surprise.
Re:Current Consumer Reports Magazine (Score:5, Interesting)
I wonder how that number is affected when one considers that the government is more likely to be required to report these types of crimes whereas a private company is not (for the most part).
Re:Security theatre (Score:3, Interesting)
o Only publicly available information - name, address, etc. was on the laptop.
o No private data such as SSID and credit card information were on the laptop
This does not excuse the lack of security, but it might make those that had their data on the laptop feel better, if true.
Re:How many times does this need to happen (Score:4, Interesting)
Exactly. Why is my Social Security number needed to purchase a cell phone and contract? Does my insurance company need it? Why do credit checks have to be run for everything nowadays? I would honestly prefer giving something like my fingerprint at the store, as long as the employee also had to give theirs, as a way of certifing "yes, they pressed their thumb, I watched them, and they were not coerced".
I think that the best thing that can happen is that more ID's are stolen, as in millions, as in IRS or some states database. If they can no longer be trusted, they will no longer be used..
Re:hahahahahaha! (Score:3, Interesting)
Honestly, I think it's time to institute a punishment for a corporation, the most severe punishment that can happen to something that can't be thrown in jail.. Revoke their charter, and nullify the entire company. The corporate death penalty, if you will.
If it happens more often, companies will start to realize that this isn't a matter of getting fined, which their insurance will cover, and their rates will go up a little, but that the company will no longer exist, and can't write paychecks, can't purchase goods, can't deposit money, and their assetts will be sold off to the highest bidder. Might make them a little more "caring" about important issues..
Re:Security theatre (Score:3, Interesting)
>having unencrypted data of 33,000 of your customers on that laptop is a crime.
It is a crime, and the person responsible, and anyone that knew or should have known that person had this data on a laptop, should be treated *precisely*, literally, as an enemy of the state, an enemy combatant during wartime, and the incident should be approached with strong suspicion that the loss was no accident. The people responsible will protest their innocence, as do all traitors, and we should be deaf to that.
This may have been an accident, but it is still the kind of accident that costs your freedom, if not your life.
Targeted theft? (Score:3, Interesting)
Not criminals, terrorists (Score:2, Interesting)
Everybody assumes that this data would go to criminals for use in ID theft mischief. What if terrorists used it to program their own Smart cards in order to "speed through airport security"?
You expect commercial interests to do dumb stuff like this out of greed or incompetence. Accordingly, the fact that TSA/DHS didn't certify this company's procedures tells you something about their competence/security.
Airport security is a total joke (Score:2, Interesting)
The only reasonable thing that they did after 9/11 was lock the cockpit doors. Everything else is BS designed to make you think that they're doing something useful.