Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Clear" Air-Travel Pass Data Stolen From SFO

Posted by timothy on from the is-kip-hawley-thetan-clear? dept.

Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."

5 of 379 comments (clear)

  1. What was that info doing on a laptop? by Animats · · Score: 5, Informative

    What was that info doing on a laptop? That in itself is very suspicious. Nobody should have a full list of the "approved people" outside of an database where each access is logged. That's info a terrorist group would want. It gives them a list of people who won't be searched. Those are the ones to exploit to get something past security.

    The laptop disappeared from a locked room at an airport. This wasn't an ordinary laptop theft. TSA has to assume that the database is now in hostile hands. So now everyone with a "Clear" card should be subjected to extra searches.

    Let's check out the "Clear" privacy policy. "Clear and its subcontractors, pursuant to legal agreements, have a comprehensive information security program to ensure the privacy of Clear applicants and members as well as the integrity of our systems. We apply ID's and passwords to insure that access to systems and data is only on a need-to-know basis. We use encryption (a strong data coding process) for all program sensitive data communications." ... "In the highly unlikely event that a member is the victim of identity theft (defined as the taking of a member's personal information so that fraudulent transactions are made in the member's name) that is the result of any unauthorized dissemination by Clear or its subcontractors, or theft from Clear or its subcontractors, of the member's personal data collected by Clear, we will reimburse the member for any otherwise unreimbursable monetary costs directly resulting from such Identity Theft. In addition, Clear will, at its own expense, offer any such member assistance in restoring the integrity of the member's financial or other accounts." ... "Clear has appointed an independent, outside Privacy Ombudsman, Law Professor Paul Schwartz, noted privacy expert and advocate. He will be identified to members as the person to contact if a member has a privacy complaint or privacy problem with administration of the Clear system or fidelity to our published Privacy Policies. The Independent Privacy Ombudsman is empowered to investigate all privacy complaints, gather the facts, and respond to members, as well as to post responses publicly and prominently on our website."

    Yet there's no announcement of the security breach on the Clear web site.

  2. Current Consumer Reports Magazine by BitterOldGUy · · Score: 4, Informative
    disagrees with you (Sept 2008) Government is by far the worst offender for IS leaks.

    See page 32.

  3. Re:That's okay... by jacquesm · · Score: 4, Informative

    a security audit does not require you to give up your logins / passwords, if it does you're likely being social engineered.

    --
    MP3 Search Engine
  4. Oh Please by mpapet · · Score: 5, Informative

    Having worked the contractor side of Identity projects, I promise you the story as provided in the summary is the working norm.

    Unsecured computers in the field with live identity information? Check.

    Multiple copies of identity information floating around? Check.

    Many **totally** unaware employees in the field with private data? Check.

    Many **totally** unaware employees at the contractor's office passing private data? Check.

    It boggles my mind anyone would believe it's better than that. The contractor suffers no consequences and the burden falls on the individual.

    Which, is why the rules, regs, and standards for handling private information is ***perfectly*** designed in the U.S. Not that any of you would get off your collective asses and do anything to change it.

    --
    http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
  5. CLARIFICATION, breach was limited. by ptbarnett · · Score: 4, Informative
    I'm replying close to the top, so that this will show up as early as possible.

    This is from Clear customer support: consider the source and apply the appropriate amount of salt.

    The only personal information that was compromised was for people who were in the midst of the application process. If you are already enrolled and have received your card, your personal info was not in the laptop that was stolen.

    At this point, Clear is not planning to notify existing members that their personal info was not stolen. However, I strongly suggested that they rethink that policy, and notify all members of the extent of the breach. The news story quoted in this article doesn't make the distinction between pending applications and enrolled members.