Slashdot Mirror

← Back to Stories (view on slashdot.org)

"Clear" Air-Travel Pass Data Stolen From SFO

Posted by timothy on from the is-kip-hawley-thetan-clear? dept.

Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."

11 of 379 comments (clear)

  1. Security theatre by BWJones · · Score: 5, Interesting

    To have a company intimately involved with *security* not apparently able to manage their own security in a manner that protects the country and their customers is a joke. Fine... having a laptop stolen is common enough and I don't fault them, but having unencrypted data of 33,000 of your customers on that laptop is a crime.

      I never liked the idea of handing over private information in the security theatre that our nation has become, but events like this where private companies motivated by the lowest common denominator really get under ones skin. Why the data was stored in unencrypted formats is inexcusable. I don't know what the penalty should be for something like this, but it should be commensurate with the potential damage it could cause.

    The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently. When the government then has to police these private companies like the TSA is apparently having to now do, the concept is made moot. So.... our options are to continue to live the security theatre with private companies like this or turn the job back over to the government (who's job it to ensure safety of travel and should not have been in the business of verifying identity for air travel anyway).

    Or... we could go back to the way things were when I could carry pocket knives on planes. (I also remember when you could carry long guns on planes back in the late 80's/early 90's.)

    --
    Visit Jonesblog and say hello.
    1. Re:Security theatre by greedyturtle · · Score: 5, Interesting

      This is a brilliant paper that sums it all up. It was posted on ./ a few years back, couldn't find the ./ story but I did find the paper:

      I've Got Nothing to Hide and Other Misunderstandings of Privacy

    2. Re:Security theatre by Profane+MuthaFucka · · Score: 3, Interesting

      Corporate Death Penalty! It's an option that is seldom used, but should be used more and more.

      When corporations break the law and are found guilty, their existence as corporations should be ENDED.

      --
      Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
    3. Re:Security theatre by samkass · · Score: 4, Interesting

      That's only true in the very last stage of bidding on government contracts. The key is to have the requirements written "properly". I put the last word in quotes because every contractor wants their special value-add to be made a requirement of all bid requests-- that way they're always cheapest and win the final bid. By the time the final wording is written into any request for proposals, the winner is usually no surprise.

      --
      E pluribus unum
    4. Re:Security theatre by bob_herrick · · Score: 3, Interesting

      This is a local story to me. On the TV news last night one of the security company's staff was interviewed. He asserted:

      o Only publicly available information - name, address, etc. was on the laptop.
      o No private data such as SSID and credit card information were on the laptop

      This does not excuse the lack of security, but it might make those that had their data on the laptop feel better, if true.

    5. Re:Security theatre by fishbowl · · Score: 3, Interesting

      >having unencrypted data of 33,000 of your customers on that laptop is a crime.

      It is a crime, and the person responsible, and anyone that knew or should have known that person had this data on a laptop, should be treated *precisely*, literally, as an enemy of the state, an enemy combatant during wartime, and the incident should be approached with strong suspicion that the loss was no accident. The people responsible will protest their innocence, as do all traitors, and we should be deaf to that.

      This may have been an accident, but it is still the kind of accident that costs your freedom, if not your life.

      --
      -fb Everything not expressly forbidden is now mandatory.
  2. How does this system improve security, anyway? by Reality+Master+201 · · Score: 4, Interesting

    Assuming this system allows them to reliably identify a person, so what? Do they do extensive background checks and continuous monitoring to ensure that the people aren't involved in terrorism? Or if I have no obvious problems in my background and enough money to pay for it, can I get treated differently too?

    Does it basically come down to people paying to not have to stand in line with the rest of humanity at the airport?

  3. Skeptical by PPH · · Score: 5, Interesting

    I'm becoming quite skeptical about this whole 'stolen laptop' B.S. After the first few big news stories, I'd expect most corporations to have strict guidelines in place to prevent this sort of thing. And a policy of coming down hard, very hard, on violators.

    I wonder how much one can get per personnal record for selling this sort of data to organized crime. And cover your ass by reporting a stolen laptop.

    --
    Have gnu, will travel.
  4. Re:Jailtime by Anonymous Coward · · Score: 3, Interesting

    The CIO of this company and everyone involved in the IT policy with regard to security should be in jail forever.

    Back up there. For all you know, there were people within the company who were calling for proper security controls but were ignored. That's certainly what happened at my last job: our IT team continually raised the subject of full-disc encryption on laptops and we were continually ignored, right up until a laptop with a demo version of our software was stolen from a trade show. Apparently that was high-profile enough that the board of directors finally woke up and ordered full-disc encryption for every laptop, although of course by then it was too late.

  5. Re:Current Consumer Reports Magazine by cmat · · Score: 4, Interesting

    I wonder how that number is affected when one considers that the government is more likely to be required to report these types of crimes whereas a private company is not (for the most part).

    --
    -- Humans, because the hardware IS the software.
  6. Re:How many times does this need to happen by QuantumRiff · · Score: 3, Interesting

    Exactly. Why is my Social Security number needed to purchase a cell phone and contract? Does my insurance company need it? Why do credit checks have to be run for everything nowadays? I would honestly prefer giving something like my fingerprint at the store, as long as the employee also had to give theirs, as a way of certifing "yes, they pressed their thumb, I watched them, and they were not coerced".

    I think that the best thing that can happen is that more ID's are stolen, as in millions, as in IRS or some states database. If they can no longer be trusted, they will no longer be used..

    --

    What are we going to do tonight Brain?