"Clear" Air-Travel Pass Data Stolen From SFO 379
Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."
Security theatre (Score:5, Interesting)
To have a company intimately involved with *security* not apparently able to manage their own security in a manner that protects the country and their customers is a joke. Fine... having a laptop stolen is common enough and I don't fault them, but having unencrypted data of 33,000 of your customers on that laptop is a crime.
I never liked the idea of handing over private information in the security theatre that our nation has become, but events like this where private companies motivated by the lowest common denominator really get under ones skin. Why the data was stored in unencrypted formats is inexcusable. I don't know what the penalty should be for something like this, but it should be commensurate with the potential damage it could cause.
The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently. When the government then has to police these private companies like the TSA is apparently having to now do, the concept is made moot. So.... our options are to continue to live the security theatre with private companies like this or turn the job back over to the government (who's job it to ensure safety of travel and should not have been in the business of verifying identity for air travel anyway).
Or... we could go back to the way things were when I could carry pocket knives on planes. (I also remember when you could carry long guns on planes back in the late 80's/early 90's.)
Re:Security theatre (Score:5, Insightful)
Yea, and this also brings some interesting light to the issue with "If you have nothing to hide, why don't you want to provide us with your [biometrics|passport|id|*]" argument.
Refusing to give away address, email, phones, SSID along with fingerprints is almost considered a crime in itself right now, since if you are not planning on terrorist activities, you don't have anything to hide, have you!?
But here, perfectly innocent people suddenly have all their personal information spread to criminal groups or whoever end up being the buyer of this information.
Scary stuff...
Re:Security theatre (Score:4, Insightful)
Yeah.... You have nothing to fear except fear itself..... and incompetence. So, just hand your data over to us and we'll verify that you are who you are which really does nothing for national security anyway because there is nothing that prevents someone from getting "cleared", then carrying out a crime later.
Re:Security theatre (Score:5, Interesting)
I've Got Nothing to Hide and Other Misunderstandings of Privacy [ssrn.com]
Re:Security theatre (Score:4, Informative)
I haven't made it far through the article, but it's good so far...
It's a great analysis of the issues, laying out what the heck privacy really is, anyway.
Re:Security theatre (Score:5, Funny)
I have no problem giving you my SSID, it's the WPA2 key that I have a problem giving out ;)
Re:Security theatre (Score:5, Insightful)
Don't get me wrong. I'm all about security where it's needed and where it's appropriate. I'd prefer not to be killed by a terrorist just as much as the next guy... but we've got to maintain some perspective here. You can't stop someone willing to commit suicide from killing people. Look at that guy in Japan that ran over people in a mall with a truck and then started stabbing people. He was armed with a KNIFE.
Throwing away our rights for the illusion of security depresses me.
QED (Score:3, Insightful)
I have a feeling everyone on the plane would fight it.
You have a feeling? This was proven an hour and twenty minutes after the first plane hit the Twin Towers, by ordinary Americans correctly assessing the security situation over a field in Shanksville, PA.
Then we hardened the cockpit doors to make double-sure. Everything since then has been a distraction.
Re:Security theatre (Score:5, Insightful)
Nice to see the almost automated partisan knee-jerk moderating system is still working.
Bury my posts as trolling as fast as you can. It's not /. it's digg!
I was going to mod you troll, but you genuinely seem to not understand the moderation, so I thought this might be more educational.
Your posts are moderated as "troll" because your argument is poorly reasoned, poorly expressed, and wholly inflammatory. You fail to address the claims of "security theater" (ie, why identity verification increases safety of travel), and instead provide a fallacious and derogatory argument.
Your blaming this on partisanship only demonstrates a total lack of cognizance of your churlish use of logical fallacies to further a point, and moderation as "troll" is well deserved.
This is slashdot, not digg, and I hope that we have the capability to hold discourse to a higher standard.
Re:Security theatre (Score:5, Insightful)
Asking someone to show ID to get on a plane seems reasonable to me.
How does knowing a passenger's identity increase your safety aboard an airplane? I'd rather allow anonymous travel and require mandatory pat-downs than believe I'm any safer because some government hack knows the name of the guy that's willing to die so he can kill a few others.
So much for not needing 'papers' to travel inside the US.
Re:Security theatre (Score:5, Insightful)
None of the Sept. 11th hijackers were in the U.S. illegally. All had legitimate forms of identification, and none used false identification. I doubt any were even suspected of terrorist ties.... We ask people to show ID as they get on airplanes for one reason and one reason only: to make people who can't see through the new sham measures feel safer.
Want to make people actually safer?
Re:Security theatre (Score:4, Insightful)
As a total dollar amount, sure, the U.S. seems to give a lot. I used to think that was pretty good until I saw the cold, hard math. Total dollars is just not a very interesting metric when you consider how wealthy the U.S. is as a nation. Per capita, the U.S. provides much less disaster relief money than any of the other major world powers, and as a percentage of our GNP, it's even more laughable.
Remember the parable of the widow who gave her two coins in the synagogue. People perceive that we a nation give of our excess while so many others give in spite of their need. It's like a billionaire giving $500 at a charity auction. Even if it is more than all the other people combined, if that was his only donation to any charity, people will still call him stingy. The poor woman who gives the two pennies that would have helped help feed her family... she is the one we should aspire to imitate as a nation.
Re:Security theatre (Score:5, Insightful)
The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently.
That might be the point for you, but for the government officials there are other points to consider:
1) Who bid the lowest.
2) Will the company chosen contribute enough money to my/our campaign in the future.
3) Is there a way I can profit from my choice of contractor.
The idea that someone would believe a company is chosen for its actual merits is ludicrous.
Re:Security theatre (Score:5, Insightful)
Well, choosing a company based on something abstract like merits is illegal because it's often used to hide #2 and #3. Price is the only consideration you are allowed. Yes, it's stupid, but it's the way the taxpayer demands it be done.
Honestly, do you think larger corporations are any different? Deals are always given to good old boy friends who will give you something later. It's not even illegal, like it is in government.
Re:Security theatre (Score:5, Interesting)
That's only true in the very last stage of bidding on government contracts. The key is to have the requirements written "properly". I put the last word in quotes because every contractor wants their special value-add to be made a requirement of all bid requests-- that way they're always cheapest and win the final bid. By the time the final wording is written into any request for proposals, the winner is usually no surprise.
Re:Security theatre (Score:4, Insightful)
The key is to have the requirements written "properly".
And that's part of the problem. The government, in many cases, outsources because it does not have the expertise to do the job. Not having the expertise also manifests itself in the lack of details in the requirements document. Just requiring a security company that can secure stuff isn't good enough, you need to elaborate. In many cases, you may need to elaborate into details like what encryption algorithms are usable, what are not, etc. Stuff your average government lackey would know nothing about.
Re:Security theatre (Score:5, Insightful)
"Price is the only consideration you are allowed. Yes, it's stupid, but it's the way the taxpayer demands it be done."
That USED to be the only consideration before the Bush administration came to town, that and if you had a token minority or woman in your executive suite you could win by exploiting affirmative action.
But, the Bush administration has been constantly sole sourcing and otherwise steering contracts to friends and contributors for 7 and a half years. There is a well oiled machine of Republican connected lobbyists who hooked companies up with a fast path to contracts. Karl Rove apparently tried to turn the entire executive branch in to a political tool where government contracts were being steered to "good Republican" companies and as tools to get Republicans elected for bringin home the bacon to companies in their districts. Many of the contracts in Iraq, both in supporting the military and rebuilding Iraq(rebuilding it very badly it turns out), were done that way.
Maybe its illegal but if no one enforces the law what does the law matter. The Bush administration had complete contempt for the law in little things like torture, spying on Americans, hiring and politically motivated prosection in the DOJ etc, what makes you think they care about it in government contracting. If they dominated the executive branch, including the DOJ, and the Congress, which they did from 2000-2006 they knew no one would investigate anything, or enforce any law. Some private citizen or public interest group would've had to blow the whistle. When they've tried the Federal government has been very effective at smacking them down. I recall a number of instances where Federal contract monitors and auditors have questioned the performance and billing of politically well connected contractors, and if they didn't shut up and rubber stamp the payments the Bush administration just fired them and put someone in the job who would stop asking questions. There was an instance of this reported a couple weeks ago.
Even since the Democrats regained control of Congress the Bush administration has been very good at frustrating every attempt to investigate all their law breaking.
If the Republicans had managed to stack the courts a little better, and hadn't been so incompetent and corrupt that they started losing elections again in 2006 the law would have been pretty much history in the U.S.
Current Consumer Reports Magazine (Score:4, Informative)
See page 32.
Re:Current Consumer Reports Magazine (Score:5, Interesting)
I wonder how that number is affected when one considers that the government is more likely to be required to report these types of crimes whereas a private company is not (for the most part).
Re:Security theatre (Score:4, Informative)
The company in question was founded by Steven Brill who founded CourtTV and American Lawyer magazine.
He is from NY state and is a solid Democrat from what I can tell (according to his campaign contributions).
Re: (Score:2)
That's okay... (Score:2, Funny)
Our company was being audited for security, and the auditors lost their papers with information on logins, etc. As a result, we had to change all of our passwords.
Re:That's okay... (Score:5, Informative)
a security audit does not require you to give up your logins / passwords, if it does you're likely being social engineered.
Re:Security theatre (Score:5, Insightful)
The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently.
That's the ostensible reason, the one they use to sell it to those who distrust government spending like libertarians, fiscal conservatives and some old-school Republicans.
The real reason is usually to privatize the profit centers, while continuing to keep the cost centers public, so the old boy network can continue to get slopped at the public trough.
Re: (Score:3, Interesting)
Corporate Death Penalty! It's an option that is seldom used, but should be used more and more.
When corporations break the law and are found guilty, their existence as corporations should be ENDED.
Re:Security theatre (Score:4, Insightful)
Oh Please (Score:5, Informative)
Having worked the contractor side of Identity projects, I promise you the story as provided in the summary is the working norm.
Unsecured computers in the field with live identity information? Check.
Multiple copies of identity information floating around? Check.
Many **totally** unaware employees in the field with private data? Check.
Many **totally** unaware employees at the contractor's office passing private data? Check.
It boggles my mind anyone would believe it's better than that. The contractor suffers no consequences and the burden falls on the individual.
Which, is why the rules, regs, and standards for handling private information is ***perfectly*** designed in the U.S. Not that any of you would get off your collective asses and do anything to change it.
Re: (Score:3, Interesting)
o Only publicly available information - name, address, etc. was on the laptop.
o No private data such as SSID and credit card information were on the laptop
This does not excuse the lack of security, but it might make those that had their data on the laptop feel better, if true.
CLARIFICATION, breach was limited. (Score:5, Informative)
This is from Clear customer support: consider the source and apply the appropriate amount of salt.
The only personal information that was compromised was for people who were in the midst of the application process. If you are already enrolled and have received your card, your personal info was not in the laptop that was stolen.
At this point, Clear is not planning to notify existing members that their personal info was not stolen. However, I strongly suggested that they rethink that policy, and notify all members of the extent of the breach. The news story quoted in this article doesn't make the distinction between pending applications and enrolled members.
Re: (Score:3, Interesting)
>having unencrypted data of 33,000 of your customers on that laptop is a crime.
It is a crime, and the person responsible, and anyone that knew or should have known that person had this data on a laptop, should be treated *precisely*, literally, as an enemy of the state, an enemy combatant during wartime, and the incident should be approached with strong suspicion that the loss was no accident. The people responsible will protest their innocence, as do all traitors, and we should be deaf to that.
This may
What? (Score:2)
The company has now decided that it might be a good idea to encrypt the data in their systems.
Then they've clearly hired the wrong people for the job. But since when is news like this anything new?
Re: (Score:3, Funny)
But they were the ones who bought enough congressmen and senators to get the job...surely you're not suggesting there's a better way to choose government contractors?
Does nobody use disk encryption? (Score:2)
Re:Does nobody use disk encryption? (Score:5, Insightful)
WTF was data like this doing on something nice and portable like a laptop anyway? I bet it was in an Excel spreadsheet (the database of choice for PHBs everywhere) too.
(And yes, it should have been encrypted.)
Re: (Score:3, Insightful)
A laptop should be nothing more than a client to the critical data. (Obviously with proper login and security to connect to whatever hosts the critical data)
Bah! So dumb!
Re: (Score:2)
Re: (Score:3, Insightful)
How many times does this need to happen (Score:4, Insightful)
One word of this: Incompetent.
waiting for the Big One: IRS loses taxpayer data (Score:2)
I forgot the exact country, but one of the major western European countries had a significant chunk of taxpayer ids stolen last year.
Re:How many times does this need to happen (Score:5, Insightful)
Re:How many times does this need to happen (Score:4, Interesting)
Exactly. Why is my Social Security number needed to purchase a cell phone and contract? Does my insurance company need it? Why do credit checks have to be run for everything nowadays? I would honestly prefer giving something like my fingerprint at the store, as long as the employee also had to give theirs, as a way of certifing "yes, they pressed their thumb, I watched them, and they were not coerced".
I think that the best thing that can happen is that more ID's are stolen, as in millions, as in IRS or some states database. If they can no longer be trusted, they will no longer be used..
Re: (Score:2)
I KNOW! I won't even store my own SSN / Passwords, etc. on my personal computer on my desk at home, much less on a laptop or cellphone. And yet these people are in possession of what amounts to an "identity brief" for tens of thousands of their paying customers, and leave it all conveniently accessible in a single unencrypted file on an unencrypted drive in an unsecured laptop?
Here's hoping it's just a disgruntled employee trying to call attention to the insecurity, rather than actual criminals who will u
Re: (Score:3, Interesting)
Well, not only that, but shouldn't that laptop have a tracing program on it? One of those services that helps you find the stolen laptop?
A new security industry created by the government's drive to snoop in all our lives has proven exactly why no one is to be trusted with your ID info. period. Makes you wonder who the real terrorists are? Bin Laden must be laughing his last lung out.
The weakest link in your security is always a human and since humans work for the NSA, DHS et al, there is NO reason to trust
locked doors... (Score:2, Funny)
"The company has now decided that it might be a good idea to encrypt the data in their systems"
because apparently before locked doors was good enough
Directed to the Systems Administrator of VIP, inc. (Score:5, Insightful)
Seriously?
Re:Directed to the Systems Administrator of VIP, i (Score:5, Insightful)
$128, not $100 (Score:3, Funny)
From the "Clear" link: "Clear's first year price is $128."
I'd say that's a bargain to have your identity stolen!
Re:$128, not $100 (Score:5, Funny)
The extra $28 was added to include a year of credit monitoring I think.
Re:$128, not $100 (Score:5, Funny)
That will teach people not to give out information (Score:2, Insightful)
Who am I kidding. No, it won't.
This doesn't surprise me very much... (Score:2, Interesting)
The thing is, though, they're only encrypting the new tablet PCs we just bought, not the older Thinkpads we used - And the database is imported from the web, which means the unencrypted laptops contain the same data the encrypted ones do...
I have a feeling we'll see ev
It has to be said (Score:2, Funny)
All aboard the FailPlane!
With Pic! [flickr.com]
Step 1: Encryption (Score:4, Insightful)
A laptop containing the unencrypted -
NEXT!!!
How does this system improve security, anyway? (Score:5, Interesting)
Assuming this system allows them to reliably identify a person, so what? Do they do extensive background checks and continuous monitoring to ensure that the people aren't involved in terrorism? Or if I have no obvious problems in my background and enough money to pay for it, can I get treated differently too?
Does it basically come down to people paying to not have to stand in line with the rest of humanity at the airport?
Re:How does this system improve security, anyway? (Score:4, Funny)
Does it basically come down to people paying to not have to stand in line with the rest of humanity at the airport?
Ding ding ding!
Re: (Score:2)
Pretty much.
And that's a big bonus for business travelers. I fly at least twice a week, and on some weeks, it could be way more than that. So, I spend a lot of time standing in lines at the airport and spending time with idiot passengers who do not know how to pack. Before I get in line, I have my wallet, phone and everything else in my bag, I usually carry no liquids (buy 'em where I go or le
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
You've hit upon the actual problem with this whole scheme: if you build a two-tier security system (whether you call it Clear or racial profiling or whatever) you annoy the people in the lower tier because they're being 'profiled' for extra checking -- they're false positives and they resent it and tell you that you're a racist or something.
But the reason it's a Very Bad Idea isn't because of them, it's because of the false negatives, the people who figure out how to get into the less-checked, higher tier.
Re: (Score:2)
You must be new here. But welcome. You absolutely get treated better when you have more money. You can't be surprised by this?
hundred bucks (Score:3, Funny)
Lack of proper management (Score:5, Insightful)
Re:Lack of proper management (Score:5, Insightful)
CORPORATION, n. An ingenious device for obtaining individual profit without individual responsibility.
- The Devil's Dictionary
Re: (Score:3, Interesting)
Honestly, I think it's time to institute a punishment for a corporation, the most severe punishment that can happen to something that can't be thrown in jail.. Revoke their charter, and nullify the entire company. The corporate death penalty, if you will.
If it happens more often, companies will start to realize that this isn't a matter of getting fined, which their insurance will cover, and their rates will go up a little, but that the company will no longer exist, and can't write paychecks, can't purchase
Skeptical (Score:5, Interesting)
I'm becoming quite skeptical about this whole 'stolen laptop' B.S. After the first few big news stories, I'd expect most corporations to have strict guidelines in place to prevent this sort of thing. And a policy of coming down hard, very hard, on violators.
I wonder how much one can get per personnal record for selling this sort of data to organized crime. And cover your ass by reporting a stolen laptop.
Re: (Score:2)
Strict guidelines are all well and fine, but when you have hundreds or thousands of employees running around with corporate laptops there is simply no way to guarantee that everyone will comply.
When people are running around at the airport, hopping in and out of cabs, running from meeting to meeting, and generally trying to keep ahead of their workload, they get sloppy.
Re: (Score:2, Funny)
Sad to say but I think that you are on to something. I get several emails offering to buy and sell contact lists on email all the time. I wonder exactly what the product line looks like for these groups that buy and sell lists? "For an extra $500 you get matching SSN"!!! "Need us to sort the data, we will stop by and pick up your laptop with cash payment and completed police report."
Re: (Score:2)
It's because everyone else is of the "Well, it won't happen to me, it only happens to the other guys" mentality.
What those execs fail to realize is they ARE the 'other guys' to everyone else.
If I proposed something like this to the companies I help support, I guarentee the first question I'd get would be "How much would it cost to impliment?"
Good write up (Score:4, Insightful)
This might be the best summery I have seen in some time. It has far more usefull informtaion than the linked news story. I want to personally thank the poster for that and suggest we could use a 'goodsummery' tag to balance the 'badsummery' tag that we so often see.
Re: (Score:2, Informative)
Kind of a coincidence (Score:3, Interesting)
It shouldn't matter, but it does (Score:5, Funny)
Names, SSi number, date of birth .. we need to stop using all of these as ID right now.
My suggestion is this. At some appropriate age, say 16-18 where most countries seem to issue ID, we each choose and commit to memory a graph G, such that the chance of a collision in all earth population is close to zero. Then whenever we need to prove our ID for air-travel or whatever we just need to go though several rounds of identify proof where we generate an isomorphic graph H, and show EITHER isomorphism between H and G, or a Hamiltonian cycle in H. After a sufficient number of rounds your identity would be certain to the required probability and you could be on your way.
The technique to do this mentally could be taught in schools. It's THAT SIMPLE!
Re: (Score:3, Funny)
I am not an isomorphic graph, I am a free man!
Re: (Score:3, Funny)
> Like the patriot graph.
No. The Patriot Tree (Yes, I know it isn't a tree, but we're talking marketing now. Details don't matter.)
The system's name says it all (Score:4, Funny)
What was that info doing on a laptop? (Score:5, Informative)
What was that info doing on a laptop? That in itself is very suspicious. Nobody should have a full list of the "approved people" outside of an database where each access is logged. That's info a terrorist group would want. It gives them a list of people who won't be searched. Those are the ones to exploit to get something past security.
The laptop disappeared from a locked room at an airport. This wasn't an ordinary laptop theft. TSA has to assume that the database is now in hostile hands. So now everyone with a "Clear" card should be subjected to extra searches.
Let's check out the "Clear" privacy policy [flyclear.com]. "Clear and its subcontractors, pursuant to legal agreements, have a comprehensive information security program to ensure the privacy of Clear applicants and members as well as the integrity of our systems. We apply ID's and passwords to insure that access to systems and data is only on a need-to-know basis. We use encryption (a strong data coding process) for all program sensitive data communications." ... "In the highly unlikely event that a member is the victim of identity theft (defined as the taking of a member's personal information so that fraudulent transactions are made in the member's name) that is the result of any unauthorized dissemination by Clear or its subcontractors, or theft from Clear or its subcontractors, of the member's personal data collected by Clear, we will reimburse the member for any otherwise unreimbursable monetary costs directly resulting from such Identity Theft. In addition, Clear will, at its own expense, offer any such member assistance in restoring the integrity of the member's financial or other accounts." ... "Clear has appointed an independent, outside Privacy Ombudsman, Law Professor Paul Schwartz [paulschwartz.net], noted privacy expert and advocate. He will be identified to members as the person to contact if a member has a privacy complaint or privacy problem with administration of the Clear system or fidelity to our published Privacy Policies. The Independent Privacy Ombudsman is empowered to investigate all privacy complaints, gather the facts, and respond to members, as well as to post responses publicly and prominently on our website."
Yet there's no announcement of the security breach on the Clear web site.
Oh NOW Encryption is a Good Idea? (Score:2)
NOW?... (Score:3, Interesting)
NOW? They're NOW deciding that it might be a good idea to encrypt the data? Ok, I don't work in the industry and all but even I, as an uneducated outsider, knows that it's a good idea to encrypt that sort of data. Jebus... That should have been one of the first priorities in developing their systems and procedures...
I don't get it (Score:3, Insightful)
I don't understand why data like this was on a laptop in the first place. Encrypted or not, it seems problematic to have copies of databases floating around, flying with executives, packaged up neatly in a form that makes it easy to steal (i.e., a freakin' laptop).
What am I missing that I don't get why this database was allowed off the core server that hosts it? Simply from a data integrity standpoint it seems like a bad idea to let multiple copies move around.
Re: PHB (Score:3, Insightful)
I expect the required rules for security of the data were likely in place and applicable to most employees. It would take a special kind of stupid to not have some security rules.
But those rules seldom are applied to upper echelon management who can simply say they want data X in a readable format (probably an Excel spreadsheet) put on that laptop for their trip etc. The higher you are in an organization it seems the less likely you are to think the rules apply to *you*.
Either that or this "theft" is a conv
Irony (Score:3, Insightful)
I guess my question is....
Could a terrorist organization exploit this information to be able to get someone on a plane who wouldn't have been able to before? A fake passport/drivers license in the name of a trusted passenger who knows all the personal information he should. In any kind of rational security process, each and every one of the CLEAR passengers would now be on the TSA Watchlist, subject to extra scrutiny.
Talk about blowback! Talk about (Alanis Morissette be damned) irony! An intrusive system designed to help trusted passengers bypass an intrusive search for terrorists, allows those same terrorists to bypass the search.
I see dollar signs (Score:2, Funny)
Blame capitalism!
That shit never worked, man.
In case you were wondering... (Score:3, Insightful)
You can NOT make this shit up.
I wouldn't be fired if this happened to my laptop. I would be charged, sued, and ostracized, and find a new line of work. Probably with the phrase 'biggie-size' involved.
Almost as ludicrous as electonic voting...
next time... (Score:4, Insightful)
It will be interesting to see the fallout from this episode of "Security Theatre".
Get rid of these bozos NOW! (Score:3, Insightful)
OMG! The only, ONLY appropriate response is to temporarily shut down the program, fire the contractor, ban them from future work on this, put it out for bid again and start over.
Now they'll encrypt it... (Score:3, Insightful)
Make it a punishable offense. (Score:5, Insightful)
I don't understand why there aren't penalties for this sort of thing. The way I see it this qualifies as criminal negligence because the ramifications for an individual of having their identity stolen can be severe.
If lose of personal data is somehow attributable to negligence on the part of the company, in this case the lack of encryption and maybe not securing the laptop properly, the company should be penalized. The most obvious would be a fine; lets say $10,000 for each account.
My bank, or companies they do business with have managed to lose a significant amount of customer information, not once, but twice in the past year. They mailed out notices and provided customers with some bullshit free access to credit monitoring for 12 months, later extending it to 18 or 24 months. And that's that, it's out of their hands.
But then what the hell do politicians care? With financial institutions like Countrywide giving out extra-low interest rate VIP loans to congressmen they have no incentive whatsoever to look out for our best interest.
Too bad they didn't "make available" MP3s instead (Score:3, Insightful)
Unfortunately there's not a mouthpiece for a giant multibillion dollar industry available to sue people who "make available" personal information.
Nor are their investigators roaming the internet making warrantless searches for offenders.
Nor are there lobbyists sending Congressmen on junkets to ensure that maximally favorable and punitive laws are passed.
And when the government serves up your personal information, even through a contractor, you usually can't sue anyone, and if you do, it takes most of a deca
Nelson (Score:3, Funny)
Nelson Muntz, "Hah hah."
Private information stolen from CLEAR (Score:5, Funny)
Simple solution (Score:5, Funny)
Just add all those names to the no-fly list.
IT is facing the same problem EVERYWHERE. (Score:3, Insightful)
I'm not surprised this happened...well, maybe I'm surprised that a security company would leave that kind of data on a laptop.
Fact is, this happens everywhere and it's going to get harder to manage. Unless you start taking people's laptops and even their desktop PCs away from them, you'll never stop it. Add to that the fact that you can get 16 GB flash drives and 80 GB iPods. The only ways to stop this are to (a) encrypt data, or (b) take users' toys away. Neither happens without a huge fight.
Encrypting laptops is a really big challenge. If you let users do it themselves (using vendor software, Windows EFS or others,) then they hold all the encryption keys and could make it impossible for you to get the data back in the event they get fired or quit. Implementing enterprise encryption is another road, but has its own set of problems. You have to have a full-time admin to keep the public key infrastructure up, revoke and reissue certs, etc. You also need to spend a large sum of money -- RSA and others make huge bucks every year selling enterprise-level disk encryption software. This is a very hard fight to win until something bad like this happens. And even if you get the software purchased, convincing the execs that you also need someone to look after it is tough.
Plus, you cannot stop a developer from taking the customer database home on a 1 TB disk drive to write/test software against. Unless you're disciplined enough to scrub any dev data of any customer information, it will be used. Even if you tell them they're fired if they take home data, being fired isn't the permanent black mark it used to be. Not everyone's a professional.
So, either completely limit access to data, or take toys away. Everything else is just a band-aid. I odn't mean to sound defeatist, but unless you give employees some incentive to protect customer privacy, they won't do it. Security is a major pain in the butt...even I think so. The key is to make security "not a pain."
Targeted theft? (Score:3, Interesting)
Re: (Score:3, Insightful)
oops - we fucked up and gave away your data, sorry, won't happen again...
or
oops - the whole basis for us being here at all is undermined because the process of background checking as a way to pinpoint troublemakers is fundamentally flawed. The background checks we make on our own staff are clearly as worthless as the ones we run on you.
I wonder what checks they do run anyway - I bet most of them are focused on ensuring that the check for $128 doesn't bounce.
Firefox is probably more pic
Mandatory BOFH reference (Score:3, Funny)
Real-ID resistance (Score:3, Insightful)
From the perspective of a Clear user... (Score:3, Informative)
I work in DC, and live in Jacksonville, FL, and I normally travel back to the District on Monday mornings. i was stunned to see how long the security lines were at Jax International, even at 6:15 in the morning, and with a full slate of TSA scanners and personnel on the job.
There is nothing like being able to walk past a line of three or four hundred flyers, skip right to the head of the line and be at the gate with enough time to hit the head and grab a coffee. I have zero stress when flying now.
That being said, I'm certainly upset about the laptop theft, and the "inside job" theories might have some truth to them, considering this was supposed to be in a locked office. I don't necessarily buy the "stolen to order' conspiracies, but it is worrisome. I'll continue to do what I always have - monitor all my accounts, credit reports, etc. and hope this gets solved in a quick and reasonable fashion.
As for the necessity to hand over a lot of private information, let me explain what the procedure is:
When you apply for a Clear card on line, you provide the same information, initially, that would would ordering a product: name, address, phone, and a credit card for the screening fee only ($28 which goes to the TSA). Part of the on-line application process is providing your SSN. In this care, it's a necessary evil, since Clear has to access information only you would know. I would assume they're getting this off credit reports or public records. You answer three or four questions, and if the answers are satisfactory, you move on to the next step. You print out a document with a registration number.
That step requires an appearance, in person, at the local airport with the Clear service counters. They check your registration, and you have to provide two forms of identification. One can be any government-issued picture ID. The other, however, must be a government-issued birth certificate or a valid passport. I tried to use a birth certificate issued by the hospital where I was born in 1955, but they refused to accept it. This required me to order a new BC from the state where I lived, and finsish the process another day.
Once that's finished, you stand at a kiosk and have all your fingerprints and one iris scanned. They save two or three of the fingerprints and the iris, and the data from both are eventually encoded into the chip on the smart card they issue you.
The wait for the card can be nearly a month.
As protective as I am of my privacy, I really didn't have a lot of issues with what I had to do to get this. I am an IT contractor and former federal employee, and I have a high security clearance. I had to give up a lot more during that investigation, including having family, friends and neighbors interviewed about my character. Since this is a requirement of the job, I have nothing in my past to hide, and it means a much higher salary, I'm not going to raise too much of a stink.
Clear, on the other hand, didn't get anything from me that isn't easily available (or steal-able) to anyone with a few dollars and a couple of private detectives on the Rolodex. Go to one of these "free credit report" sites and request to see what's on that thing. You have to answer some of those questions I mentioned before, and what they have is pretty interesting, and deep.
I'd be lying if I said this laptop theft doesn't worry me. I have the feeling that the idiot who stole it probably won't even look on the damn thing, and it will turn up, drive slicked, in some pawn shop.
In the meantime, I'll keep a close eye on everything sensitive (I get lots of practice at work).
And I'll still be jumping the line at the airport.
The laptop has been found (Score:3, Informative)
(08-05) 11:59 PDT San Francisco, CA (AP) --
The company that runs an airport security prescreening program says they've found a laptop containing the personal information of 33,000 people more than a week after it apparently went missing.
...
Re: (Score:3, Interesting)
Back up there. For all you know, there were people within the company who were calling for proper security controls but were ignored. That's certainly what happened at my last job: our IT team continually raised the subject of full-disc encryption on laptops and we were continually ignored, right up until a laptop with a demo version of our software was stolen from a trade show. Apparently that
Re: (Score:2)
Um, get past the identity theft victims...now the thief has the ability to fake credentials for 33K people who get to go through much reduced security at airports.
To pull the terrorism card: how much would a terrorist organization pay to have the ability to bypass almost all security checkpoints at the airports that participate in the program?
The smart thing to do (from an airport security standpoint) would be to remove all 33K people from the program and make them go through normal security again like eve
Re: (Score:3, Funny)
"We have our Chief Privacy Officer conduct a yearly privacy and data security audit, with her report presented to Clear's CEO and its Board of Directors. This Annual Audit, including any problems identified and steps to be taken to resolve those, is made available to Clear members wishing to have this."
Someone who is a Clear member, please request a copy of this report and post it...
Oh wait, I can do it - I have this list of member details...