Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Clear" Air-Travel Pass Data Stolen From SFO

Posted by timothy on from the is-kip-hawley-thetan-clear? dept.

Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."

8 of 379 comments (clear)

  1. What was that info doing on a laptop? by Animats · · Score: 5, Informative

    What was that info doing on a laptop? That in itself is very suspicious. Nobody should have a full list of the "approved people" outside of an database where each access is logged. That's info a terrorist group would want. It gives them a list of people who won't be searched. Those are the ones to exploit to get something past security.

    The laptop disappeared from a locked room at an airport. This wasn't an ordinary laptop theft. TSA has to assume that the database is now in hostile hands. So now everyone with a "Clear" card should be subjected to extra searches.

    Let's check out the "Clear" privacy policy. "Clear and its subcontractors, pursuant to legal agreements, have a comprehensive information security program to ensure the privacy of Clear applicants and members as well as the integrity of our systems. We apply ID's and passwords to insure that access to systems and data is only on a need-to-know basis. We use encryption (a strong data coding process) for all program sensitive data communications." ... "In the highly unlikely event that a member is the victim of identity theft (defined as the taking of a member's personal information so that fraudulent transactions are made in the member's name) that is the result of any unauthorized dissemination by Clear or its subcontractors, or theft from Clear or its subcontractors, of the member's personal data collected by Clear, we will reimburse the member for any otherwise unreimbursable monetary costs directly resulting from such Identity Theft. In addition, Clear will, at its own expense, offer any such member assistance in restoring the integrity of the member's financial or other accounts." ... "Clear has appointed an independent, outside Privacy Ombudsman, Law Professor Paul Schwartz, noted privacy expert and advocate. He will be identified to members as the person to contact if a member has a privacy complaint or privacy problem with administration of the Clear system or fidelity to our published Privacy Policies. The Independent Privacy Ombudsman is empowered to investigate all privacy complaints, gather the facts, and respond to members, as well as to post responses publicly and prominently on our website."

    Yet there's no announcement of the security breach on the Clear web site.

  2. Current Consumer Reports Magazine by BitterOldGUy · · Score: 4, Informative
    disagrees with you (Sept 2008) Government is by far the worst offender for IS leaks.

    See page 32.

  3. Re:That's okay... by jacquesm · · Score: 4, Informative

    a security audit does not require you to give up your logins / passwords, if it does you're likely being social engineered.

    --
    MP3 Search Engine
  4. Oh Please by mpapet · · Score: 5, Informative

    Having worked the contractor side of Identity projects, I promise you the story as provided in the summary is the working norm.

    Unsecured computers in the field with live identity information? Check.

    Multiple copies of identity information floating around? Check.

    Many **totally** unaware employees in the field with private data? Check.

    Many **totally** unaware employees at the contractor's office passing private data? Check.

    It boggles my mind anyone would believe it's better than that. The contractor suffers no consequences and the burden falls on the individual.

    Which, is why the rules, regs, and standards for handling private information is ***perfectly*** designed in the U.S. Not that any of you would get off your collective asses and do anything to change it.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  5. CLARIFICATION, breach was limited. by ptbarnett · · Score: 4, Informative
    I'm replying close to the top, so that this will show up as early as possible.

    This is from Clear customer support: consider the source and apply the appropriate amount of salt.

    The only personal information that was compromised was for people who were in the midst of the application process. If you are already enrolled and have received your card, your personal info was not in the laptop that was stolen.

    At this point, Clear is not planning to notify existing members that their personal info was not stolen. However, I strongly suggested that they rethink that policy, and notify all members of the extent of the breach. The news story quoted in this article doesn't make the distinction between pending applications and enrolled members.

  6. Re:Security theatre by Dekortage · · Score: 3, Informative

    I haven't made it far through the article, but it's good so far...

    "...in a more compelling form than is often expressed in popular discourse, the nothing to hide argument proceeds as follows: The NSA surveillance, data mining, or other government information-gathering programs will result in the disclosure of particular pieces of information to a few government officials, or perhaps only to government computers. This very limited disclosure of the particular information involved is not likely to be threatening to the privacy of law-abiding citizens. Only those who are engaged in illegal activities have a reason to hide this information. Although there may be some cases in which the information might be sensitive or embarrassing to law-abiding citizens, the limited disclosure lessens the threat to privacy. Moreover, the security interest in detecting, investigating, and preventing terrorist attacks is very high and outweighs whatever minimal or moderate privacy interests law-abiding citizens may have in these particular pieces of information.

    "Cast in this manner, the nothing to hide argument is a formidable one. It balances the degree to which an individuals privacy is compromised by the limited disclosure of certain information against potent national security interests. Under such a balancing scheme, it is quite difficult for privacy to prevail.

    ...

    "Many commentators had been using the metaphor of George Orwells 1984 to describe the problems created by the collection and use of personal data.51 I contended that the Orwell metaphor, which focuses on the harms of surveillance (such as inhibition and social control) might be apt to describe law enforcements monitoring of citizens. But much of the data gathered in computer databases is not particularly sensitive, such as ones race, birth date, gender, address, or marital status. Many people do not care about concealing the hotels they stay at, the cars they own or rent, or the kind of beverages they drink. People often do not take many steps to keep such information secret. Frequently, though not always, peoples activities would not be inhibited if others knew this information.

    "I suggested a different metaphor to capture the problems: Franz Kafkas The Trial, which depicts a bureaucracy with inscrutable purposes that uses peoples information to make important decisions about them, yet denies the people the ability to participate in how their information is used.52 The problems captured by the Kafka metaphor are of a different sort than the problems caused by surveillance. They often do not result in inhibition or chilling. Instead, they are problems of information processingthe storage, use, or analysis of datarather than information collection. They affect the power relationships between people and the institutions of the modern state. They not only frustrate the individual by creating a sense of helplessness and powerlessness, but they also affect social structure by altering the kind of relationships people have with the institutions that make important decisions about their lives."

    It's a great analysis of the issues, laying out what the heck privacy really is, anyway.

    --
    $nice = $webHosting + $domainNames + $sslCerts
  7. Re:Security theatre by krbvroc1 · · Score: 3, Informative

    The company in question was founded by Steven Brill who founded CourtTV and American Lawyer magazine.

    He is from NY state and is a solid Democrat from what I can tell (according to his campaign contributions).

  8. The laptop has been found by origamy · · Score: 3, Informative

    So reports the SF Chronicle in an article from the AP:

    (08-05) 11:59 PDT San Francisco, CA (AP) --

    The company that runs an airport security prescreening program says they've found a laptop containing the personal information of 33,000 people more than a week after it apparently went missing.
    ...