"Clear" Air-Travel Pass Data Stolen From SFO

Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."

Security theatre

To have a company intimately involved with *security* not apparently able to manage their own security in a manner that protects the country and their customers is a joke. Fine... having a laptop stolen is common enough and I don't fault them, but having unencrypted data of 33,000 of your customers on that laptop is a crime.

  I never liked the idea of handing over private information in the security theatre that our nation has become, but events like this where private companies motivated by the lowest common denominator really get under ones skin. Why the data was stored in unencrypted formats is inexcusable. I don't know what the penalty should be for something like this, but it should be commensurate with the potential damage it could cause.

The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently. When the government then has to police these private companies like the TSA is apparently having to now do, the concept is made moot. So.... our options are to continue to live the security theatre with private companies like this or turn the job back over to the government (who's job it to ensure safety of travel and should not have been in the business of verifying identity for air travel anyway).

Or... we could go back to the way things were when I could carry pocket knives on planes. (I also remember when you could carry long guns on planes back in the late 80's/early 90's.)

Re:Security theatre

Yea, and this also brings some interesting light to the issue with "If you have nothing to hide, why don't you want to provide us with your [biometrics|passport|id|*]" argument.

Refusing to give away address, email, phones, SSID along with fingerprints is almost considered a crime in itself right now, since if you are not planning on terrorist activities, you don't have anything to hide, have you!?

But here, perfectly innocent people suddenly have all their personal information spread to criminal groups or whoever end up being the buyer of this information.

Scary stuff...

Re:Security theatre

This is a brilliant paper that sums it all up. It was posted on ./ a few years back, couldn't find the ./ story but I did find the paper:

I've Got Nothing to Hide and Other Misunderstandings of Privacy [ssrn.com]

Re:Security theatre

Refusing to give away address, email, phones, SSID along with fingerprints is almost considered a crime in itself right now

I have no problem giving you my SSID, it's the WPA2 key that I have a problem giving out ;)

Re:Security theatre

The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently.

That might be the point for you, but for the government officials there are other points to consider:

1) Who bid the lowest.
2) Will the company chosen contribute enough money to my/our campaign in the future.
3) Is there a way I can profit from my choice of contractor.

The idea that someone would believe a company is chosen for its actual merits is ludicrous.

Re:Security theatre

The idea that someone would believe a company is chosen for its actual merits is ludicrous.

Well, choosing a company based on something abstract like merits is illegal because it's often used to hide #2 and #3. Price is the only consideration you are allowed. Yes, it's stupid, but it's the way the taxpayer demands it be done.

Honestly, do you think larger corporations are any different? Deals are always given to good old boy friends who will give you something later. It's not even illegal, like it is in government.

Re:Security theatre

That's only true in the very last stage of bidding on government contracts. The key is to have the requirements written "properly". I put the last word in quotes because every contractor wants their special value-add to be made a requirement of all bid requests-- that way they're always cheapest and win the final bid. By the time the final wording is written into any request for proposals, the winner is usually no surprise.

Re:Current Consumer Reports Magazine

I wonder how that number is affected when one considers that the government is more likely to be required to report these types of crimes whereas a private company is not (for the most part).

Re:Security theatre

The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently.

That's the ostensible reason, the one they use to sell it to those who distrust government spending like libertarians, fiscal conservatives and some old-school Republicans.

The real reason is usually to privatize the profit centers, while continuing to keep the cost centers public, so the old boy network can continue to get slopped at the public trough.

Oh Please

Having worked the contractor side of Identity projects, I promise you the story as provided in the summary is the working norm.

Unsecured computers in the field with live identity information? Check.

Multiple copies of identity information floating around? Check.

Many **totally** unaware employees in the field with private data? Check.

Many **totally** unaware employees at the contractor's office passing private data? Check.

It boggles my mind anyone would believe it's better than that. The contractor suffers no consequences and the burden falls on the individual.

Which, is why the rules, regs, and standards for handling private information is ***perfectly*** designed in the U.S. Not that any of you would get off your collective asses and do anything to change it.

CLARIFICATION, breach was limited.

I'm replying close to the top, so that this will show up as early as possible.

This is from Clear customer support: consider the source and apply the appropriate amount of salt.

The only personal information that was compromised was for people who were in the midst of the application process. If you are already enrolled and have received your card, your personal info was not in the laptop that was stolen.

At this point, Clear is not planning to notify existing members that their personal info was not stolen. However, I strongly suggested that they rethink that policy, and notify all members of the extent of the breach. The news story quoted in this article doesn't make the distinction between pending applications and enrolled members.

Re:That's okay...

a security audit does not require you to give up your logins / passwords, if it does you're likely being social engineered.

Directed to the Systems Administrator of VIP, inc.

You've got social security numbers of thousands of people on company laptops and you didn't make it a policy to encrypt everything?

Seriously?

Re:Directed to the Systems Administrator of VIP, i

Like the sysadmin really had a say in this. He probably asked for that a thousand times.

How does this system improve security, anyway?

Assuming this system allows them to reliably identify a person, so what? Do they do extensive background checks and continuous monitoring to ensure that the people aren't involved in terrorism? Or if I have no obvious problems in my background and enough money to pay for it, can I get treated differently too?

Does it basically come down to people paying to not have to stand in line with the rest of humanity at the airport?

Lack of proper management

Please tell me that there is going to either be prison time or a huge *personal* fine for the CEO of the tinpot company who thought that a lock and key was enough security. I'n not talking about firing the person who left it there or proped the door open to do the vacuuming, but the person at the top who says "Yes, this is cost effective and proper." We need to have people at board level think twice about storing our data so shockingly badly.

Re:Lack of proper management

CORPORATION, n. An ingenious device for obtaining individual profit without individual responsibility.
- The Devil's Dictionary

Skeptical

I'm becoming quite skeptical about this whole 'stolen laptop' B.S. After the first few big news stories, I'd expect most corporations to have strict guidelines in place to prevent this sort of thing. And a policy of coming down hard, very hard, on violators.

I wonder how much one can get per personnal record for selling this sort of data to organized crime. And cover your ass by reporting a stolen laptop.

It shouldn't matter, but it does

Names, SSi number, date of birth .. we need to stop using all of these as ID right now.

My suggestion is this. At some appropriate age, say 16-18 where most countries seem to issue ID, we each choose and commit to memory a graph G, such that the chance of a collision in all earth population is close to zero. Then whenever we need to prove our ID for air-travel or whatever we just need to go though several rounds of identify proof where we generate an isomorphic graph H, and show EITHER isomorphism between H and G, or a Hamiltonian cycle in H. After a sufficient number of rounds your identity would be certain to the required probability and you could be on your way.

The technique to do this mentally could be taught in schools. It's THAT SIMPLE!

What was that info doing on a laptop?

What was that info doing on a laptop? That in itself is very suspicious. Nobody should have a full list of the "approved people" outside of an database where each access is logged. That's info a terrorist group would want. It gives them a list of people who won't be searched. Those are the ones to exploit to get something past security.

The laptop disappeared from a locked room at an airport. This wasn't an ordinary laptop theft. TSA has to assume that the database is now in hostile hands. So now everyone with a "Clear" card should be subjected to extra searches.

Let's check out the "Clear" privacy policy [flyclear.com]. "Clear and its subcontractors, pursuant to legal agreements, have a comprehensive information security program to ensure the privacy of Clear applicants and members as well as the integrity of our systems. We apply ID's and passwords to insure that access to systems and data is only on a need-to-know basis. We use encryption (a strong data coding process) for all program sensitive data communications." ... "In the highly unlikely event that a member is the victim of identity theft (defined as the taking of a member's personal information so that fraudulent transactions are made in the member's name) that is the result of any unauthorized dissemination by Clear or its subcontractors, or theft from Clear or its subcontractors, of the member's personal data collected by Clear, we will reimburse the member for any otherwise unreimbursable monetary costs directly resulting from such Identity Theft. In addition, Clear will, at its own expense, offer any such member assistance in restoring the integrity of the member's financial or other accounts." ... "Clear has appointed an independent, outside Privacy Ombudsman, Law Professor Paul Schwartz [paulschwartz.net], noted privacy expert and advocate. He will be identified to members as the person to contact if a member has a privacy complaint or privacy problem with administration of the Clear system or fidelity to our published Privacy Policies. The Independent Privacy Ombudsman is empowered to investigate all privacy complaints, gather the facts, and respond to members, as well as to post responses publicly and prominently on our website."

Yet there's no announcement of the security breach on the Clear web site.

Make it a punishable offense.

I don't understand why there aren't penalties for this sort of thing. The way I see it this qualifies as criminal negligence because the ramifications for an individual of having their identity stolen can be severe.

If lose of personal data is somehow attributable to negligence on the part of the company, in this case the lack of encryption and maybe not securing the laptop properly, the company should be penalized. The most obvious would be a fine; lets say $10,000 for each account.

My bank, or companies they do business with have managed to lose a significant amount of customer information, not once, but twice in the past year. They mailed out notices and provided customers with some bullshit free access to credit monitoring for 12 months, later extending it to 18 or 24 months. And that's that, it's out of their hands.

But then what the hell do politicians care? With financial institutions like Countrywide giving out extra-low interest rate VIP loans to congressmen they have no incentive whatsoever to look out for our best interest.

Re:$128, not $100

The extra $28 was added to include a year of credit monitoring I think.

Re:$128, not $100

They charge a one-time fee of $28 to encode your data with an encryption algorithm known as 'plain text.'

Re:Does nobody use disk encryption?

WTF was data like this doing on something nice and portable like a laptop anyway? I bet it was in an Excel spreadsheet (the database of choice for PHBs everywhere) too.

(And yes, it should have been encrypted.)

Re:How many times does this need to happen

The ridiculous thing, in my option, isn't that people aren't careful with "personal information" - it's that banks, credit card companies, etc. all like to pretend that knowing a social security number magically proves that you are who you claim to be. I shouldn't have to keep my information secret just because it makes things convenient for some company that wants to give credit cards/loans/whatever worth thousands of dollars to people that they have never met, via the mail. That's an idiotic business plan, and it shouldn't be my problem that people try to scam them.