Slashdot Mirror
"Clear" Air-Travel Pass Data Stolen From SFO
Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."
To have a company intimately involved with *security* not apparently able to manage their own security in a manner that protects the country and their customers is a joke. Fine... having a laptop stolen is common enough and I don't fault them, but having unencrypted data of 33,000 of your customers on that laptop is a crime.
I never liked the idea of handing over private information in the security theatre that our nation has become, but events like this where private companies motivated by the lowest common denominator really get under ones skin. Why the data was stored in unencrypted formats is inexcusable. I don't know what the penalty should be for something like this, but it should be commensurate with the potential damage it could cause.
The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently. When the government then has to police these private companies like the TSA is apparently having to now do, the concept is made moot. So.... our options are to continue to live the security theatre with private companies like this or turn the job back over to the government (who's job it to ensure safety of travel and should not have been in the business of verifying identity for air travel anyway).
Or... we could go back to the way things were when I could carry pocket knives on planes. (I also remember when you could carry long guns on planes back in the late 80's/early 90's.)
Visit Jonesblog and say hello.
Before they require hardware based encryption for drives containing this sort of data? It seems completely ridiculous to me that they would keep sensitive data like this on an unencrypted drive.
One word of this: Incompetent.
Prediction: The real iPhone killer is going to be sex robots from Japan. Think about it.
"The company has now decided that it might be a good idea to encrypt the data in their systems"
because apparently before locked doors was good enough
You've got social security numbers of thousands of people on company laptops and you didn't make it a policy to encrypt everything?
Seriously?
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
From the "Clear" link: "Clear's first year price is $128."
I'd say that's a bargain to have your identity stolen!
"Anyone who [rips a CD] is probably engaging in copyright infringement." - David O. Carson
Who am I kidding. No, it won't.
... especially since at my workplace, they are starting to think about encryption laptop hard drives, that contain personal information about government related investigations related to people working without permits and that kind of deal.
The thing is, though, they're only encrypting the new tablet PCs we just bought, not the older Thinkpads we used - And the database is imported from the web, which means the unencrypted laptops contain the same data the encrypted ones do...
I have a feeling we'll see even more of these in the near future.
Then they've clearly hired the wrong people for the job. But since when is news like this anything new?
But they were the ones who bought enough congressmen and senators to get the job...surely you're not suggesting there's a better way to choose government contractors?
ZuluPad, the wiki notepad on crack
WTF was data like this doing on something nice and portable like a laptop anyway? I bet it was in an Excel spreadsheet (the database of choice for PHBs everywhere) too.
(And yes, it should have been encrypted.)
-- Alastair
All aboard the FailPlane!
With Pic!
A laptop containing the unencrypted -
NEXT!!!
Assuming this system allows them to reliably identify a person, so what? Do they do extensive background checks and continuous monitoring to ensure that the people aren't involved in terrorism? Or if I have no obvious problems in my background and enough money to pay for it, can I get treated differently too?
Does it basically come down to people paying to not have to stand in line with the rest of humanity at the airport?
So it's the same price as mobileMe, and it provides users with the same level of frustration. Who says government contractors can't compete?
Please tell me that there is going to either be prison time or a huge *personal* fine for the CEO of the tinpot company who thought that a lock and key was enough security. I'n not talking about firing the person who left it there or proped the door open to do the vacuuming, but the person at the top who says "Yes, this is cost effective and proper." We need to have people at board level think twice about storing our data so shockingly badly.
I'm becoming quite skeptical about this whole 'stolen laptop' B.S. After the first few big news stories, I'd expect most corporations to have strict guidelines in place to prevent this sort of thing. And a policy of coming down hard, very hard, on violators.
I wonder how much one can get per personnal record for selling this sort of data to organized crime. And cover your ass by reporting a stolen laptop.
Have gnu, will travel.
This might be the best summery I have seen in some time. It has far more usefull informtaion than the linked news story. I want to personally thank the poster for that and suggest we could use a 'goodsummery' tag to balance the 'badsummery' tag that we so often see.
Ascii artist &
I was just thinking earlier today of signing up for that. I do a lot of travel and thought the cost might be worth it to cut down on wait time. Guess not.
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
Names, SSi number, date of birth .. we need to stop using all of these as ID right now.
My suggestion is this. At some appropriate age, say 16-18 where most countries seem to issue ID, we each choose and commit to memory a graph G, such that the chance of a collision in all earth population is close to zero. Then whenever we need to prove our ID for air-travel or whatever we just need to go though several rounds of identify proof where we generate an isomorphic graph H, and show EITHER isomorphism between H and G, or a Hamiltonian cycle in H. After a sufficient number of rounds your identity would be certain to the required probability and you could be on your way.
The technique to do this mentally could be taught in schools. It's THAT SIMPLE!
Dude, it's called "Clear" for a reason.
I know really. It's always laptops with critical data.
A laptop should be nothing more than a client to the critical data. (Obviously with proper login and security to connect to whatever hosts the critical data)
Bah! So dumb!
Shameless plug alert: Game server control panel
What was that info doing on a laptop? That in itself is very suspicious. Nobody should have a full list of the "approved people" outside of an database where each access is logged. That's info a terrorist group would want. It gives them a list of people who won't be searched. Those are the ones to exploit to get something past security.
The laptop disappeared from a locked room at an airport. This wasn't an ordinary laptop theft. TSA has to assume that the database is now in hostile hands. So now everyone with a "Clear" card should be subjected to extra searches.
Let's check out the "Clear" privacy policy. "Clear and its subcontractors, pursuant to legal agreements, have a comprehensive information security program to ensure the privacy of Clear applicants and members as well as the integrity of our systems. We apply ID's and passwords to insure that access to systems and data is only on a need-to-know basis. We use encryption (a strong data coding process) for all program sensitive data communications." ... "In the highly unlikely event that a member is the victim of identity theft (defined as the taking of a member's personal information so that fraudulent transactions are made in the member's name) that is the result of any unauthorized dissemination by Clear or its subcontractors, or theft from Clear or its subcontractors, of the member's personal data collected by Clear, we will reimburse the member for any otherwise unreimbursable monetary costs directly resulting from such Identity Theft. In addition, Clear will, at its own expense, offer any such member assistance in restoring the integrity of the member's financial or other accounts." ... "Clear has appointed an independent, outside Privacy Ombudsman, Law Professor Paul Schwartz, noted privacy expert and advocate. He will be identified to members as the person to contact if a member has a privacy complaint or privacy problem with administration of the Clear system or fidelity to our published Privacy Policies. The Independent Privacy Ombudsman is empowered to investigate all privacy complaints, gather the facts, and respond to members, as well as to post responses publicly and prominently on our website."
Yet there's no announcement of the security breach on the Clear web site.
Our company was being audited for security, and the auditors lost their papers with information on logins, etc. As a result, we had to change all of our passwords.
The company has now decided that it might be a good idea to encrypt the data in their systems.
NOW? They're NOW deciding that it might be a good idea to encrypt the data? Ok, I don't work in the industry and all but even I, as an uneducated outsider, knows that it's a good idea to encrypt that sort of data. Jebus... That should have been one of the first priorities in developing their systems and procedures...
Back up there. For all you know, there were people within the company who were calling for proper security controls but were ignored. That's certainly what happened at my last job: our IT team continually raised the subject of full-disc encryption on laptops and we were continually ignored, right up until a laptop with a demo version of our software was stolen from a trade show. Apparently that was high-profile enough that the board of directors finally woke up and ordered full-disc encryption for every laptop, although of course by then it was too late.
See page 32.
I don't understand why data like this was on a laptop in the first place. Encrypted or not, it seems problematic to have copies of databases floating around, flying with executives, packaged up neatly in a form that makes it easy to steal (i.e., a freakin' laptop).
What am I missing that I don't get why this database was allowed off the core server that hosts it? Simply from a data integrity standpoint it seems like a bad idea to let multiple copies move around.
Anyone who loves or hates any language, platform, or manufacturer, doesn't know what they're talking about.
I guess my question is....
Could a terrorist organization exploit this information to be able to get someone on a plane who wouldn't have been able to before? A fake passport/drivers license in the name of a trusted passenger who knows all the personal information he should. In any kind of rational security process, each and every one of the CLEAR passengers would now be on the TSA Watchlist, subject to extra scrutiny.
Talk about blowback! Talk about (Alanis Morissette be damned) irony! An intrusive system designed to help trusted passengers bypass an intrusive search for terrorists, allows those same terrorists to bypass the search.
And the worms ate into his brain.
Comment removed based on user account deletion
Blame capitalism!
That shit never worked, man.
Having worked the contractor side of Identity projects, I promise you the story as provided in the summary is the working norm.
Unsecured computers in the field with live identity information? Check.
Multiple copies of identity information floating around? Check.
Many **totally** unaware employees in the field with private data? Check.
Many **totally** unaware employees at the contractor's office passing private data? Check.
It boggles my mind anyone would believe it's better than that. The contractor suffers no consequences and the burden falls on the individual.
Which, is why the rules, regs, and standards for handling private information is ***perfectly*** designed in the U.S. Not that any of you would get off your collective asses and do anything to change it.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Collaborators with the enemy get what they deserve.
You can NOT make this shit up.
I wouldn't be fired if this happened to my laptop. I would be charged, sued, and ostracized, and find a new line of work. Probably with the phrase 'biggie-size' involved.
Almost as ludicrous as electonic voting...
deleting the extra space after periods so i can stay relevant, yeah.
Like the sysadmin really had a say in this. He probably asked for that a thousand times.
It will be interesting to see the fallout from this episode of "Security Theatre".
OMG! The only, ONLY appropriate response is to temporarily shut down the program, fire the contractor, ban them from future work on this, put it out for bid again and start over.
This is from Clear customer support: consider the source and apply the appropriate amount of salt.
The only personal information that was compromised was for people who were in the midst of the application process. If you are already enrolled and have received your card, your personal info was not in the laptop that was stolen.
At this point, Clear is not planning to notify existing members that their personal info was not stolen. However, I strongly suggested that they rethink that policy, and notify all members of the extent of the breach. The news story quoted in this article doesn't make the distinction between pending applications and enrolled members.
$50 says that they'll keep the key to the encrypted data on a post-it attached to the computer, or use "password" as the password, or have a file on the desktop called "key to encrypted data".
-- I prefer the term "karma escort."
I don't understand why there aren't penalties for this sort of thing. The way I see it this qualifies as criminal negligence because the ramifications for an individual of having their identity stolen can be severe.
If lose of personal data is somehow attributable to negligence on the part of the company, in this case the lack of encryption and maybe not securing the laptop properly, the company should be penalized. The most obvious would be a fine; lets say $10,000 for each account.
My bank, or companies they do business with have managed to lose a significant amount of customer information, not once, but twice in the past year. They mailed out notices and provided customers with some bullshit free access to credit monitoring for 12 months, later extending it to 18 or 24 months. And that's that, it's out of their hands.
But then what the hell do politicians care? With financial institutions like Countrywide giving out extra-low interest rate VIP loans to congressmen they have no incentive whatsoever to look out for our best interest.
I expect the required rules for security of the data were likely in place and applicable to most employees. It would take a special kind of stupid to not have some security rules.
But those rules seldom are applied to upper echelon management who can simply say they want data X in a readable format (probably an Excel spreadsheet) put on that laptop for their trip etc. The higher you are in an organization it seems the less likely you are to think the rules apply to *you*.
Either that or this "theft" is a convenient way to explain how the data got into the hands of a commercial enterprise that purchased the data via a bribe on the side.
In any case, the CEO's of the company all the way down to the employee who lost the data should all be fined and given jail time. I know that won't happen, but it is what should happen.
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
Nelson Muntz, "Hah hah."
No sig for you. YOU GET NO SIG!
See, this is exactly why I gave them a fake name, address, and SSN when I enrolled in CLEAR.
Honestly, I think it's time to institute a punishment for a corporation, the most severe punishment that can happen to something that can't be thrown in jail.. Revoke their charter, and nullify the entire company. The corporate death penalty, if you will.
If it happens more often, companies will start to realize that this isn't a matter of getting fined, which their insurance will cover, and their rates will go up a little, but that the company will no longer exist, and can't write paychecks, can't purchase goods, can't deposit money, and their assetts will be sold off to the highest bidder. Might make them a little more "caring" about important issues..
What are we going to do tonight Brain?
Just add all those names to the no-fly list.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
From the PP...
"We have our Chief Privacy Officer conduct a yearly privacy and data security audit, with her report presented to Clear's CEO and its Board of Directors. This Annual Audit, including any problems identified and steps to be taken to resolve those, is made available to Clear members wishing to have this."
Someone who is a Clear member, please request a copy of this report and post it...
Oh wait, I can do it - I have this list of member details...
Nullius in verba
I'm not surprised this happened...well, maybe I'm surprised that a security company would leave that kind of data on a laptop.
Fact is, this happens everywhere and it's going to get harder to manage. Unless you start taking people's laptops and even their desktop PCs away from them, you'll never stop it. Add to that the fact that you can get 16 GB flash drives and 80 GB iPods. The only ways to stop this are to (a) encrypt data, or (b) take users' toys away. Neither happens without a huge fight.
Encrypting laptops is a really big challenge. If you let users do it themselves (using vendor software, Windows EFS or others,) then they hold all the encryption keys and could make it impossible for you to get the data back in the event they get fired or quit. Implementing enterprise encryption is another road, but has its own set of problems. You have to have a full-time admin to keep the public key infrastructure up, revoke and reissue certs, etc. You also need to spend a large sum of money -- RSA and others make huge bucks every year selling enterprise-level disk encryption software. This is a very hard fight to win until something bad like this happens. And even if you get the software purchased, convincing the execs that you also need someone to look after it is tough.
Plus, you cannot stop a developer from taking the customer database home on a 1 TB disk drive to write/test software against. Unless you're disciplined enough to scrub any dev data of any customer information, it will be used. Even if you tell them they're fired if they take home data, being fired isn't the permanent black mark it used to be. Not everyone's a professional.
So, either completely limit access to data, or take toys away. Everything else is just a band-aid. I odn't mean to sound defeatist, but unless you give employees some incentive to protect customer privacy, they won't do it. Security is a major pain in the butt...even I think so. The key is to make security "not a pain."
It's possible that is an "inside job", rather than an opportunistic theft. I mean, the laptop could have been "stolen to order". Identity criminals are getting more organised. Who knows what other data was on that laptop, given that it was being used by a security professional.
Looks like someone used the same trick as the PFY, just three years later.
Everybody assumes that this data would go to criminals for use in ID theft mischief. What if terrorists used it to program their own Smart cards in order to "speed through airport security"?
You expect commercial interests to do dumb stuff like this out of greed or incompetence. Accordingly, the fact that TSA/DHS didn't certify this company's procedures tells you something about their competence/security.
Unfortunately there's not a mouthpiece for a giant multibillion dollar industry available to sue people who "make available" personal information.
Nor are their investigators roaming the internet making warrantless searches for offenders.
Nor are there lobbyists sending Congressmen on junkets to ensure that maximally favorable and punitive laws are passed.
And when the government serves up your personal information, even through a contractor, you usually can't sue anyone, and if you do, it takes most of a decade. And you definitely can't bully the government for a settlement.
As usual, it sucks to be a plain old citizen.
Now perhaps a few more people will understand why we fought so hard to ensure that New Hampshire will not participate in the Real-ID system, or any de facto national ID card that may follow.
Part of the Second American Revolution!
I enrolled in the Clear program back in March. My reasons were very specific: I got tired of fighting long security lines at the airport, and since I work away from home and travel back and forth a lot, the convenience of this system is more than worth the $100.
I work in DC, and live in Jacksonville, FL, and I normally travel back to the District on Monday mornings. i was stunned to see how long the security lines were at Jax International, even at 6:15 in the morning, and with a full slate of TSA scanners and personnel on the job.
There is nothing like being able to walk past a line of three or four hundred flyers, skip right to the head of the line and be at the gate with enough time to hit the head and grab a coffee. I have zero stress when flying now.
That being said, I'm certainly upset about the laptop theft, and the "inside job" theories might have some truth to them, considering this was supposed to be in a locked office. I don't necessarily buy the "stolen to order' conspiracies, but it is worrisome. I'll continue to do what I always have - monitor all my accounts, credit reports, etc. and hope this gets solved in a quick and reasonable fashion.
As for the necessity to hand over a lot of private information, let me explain what the procedure is:
When you apply for a Clear card on line, you provide the same information, initially, that would would ordering a product: name, address, phone, and a credit card for the screening fee only ($28 which goes to the TSA). Part of the on-line application process is providing your SSN. In this care, it's a necessary evil, since Clear has to access information only you would know. I would assume they're getting this off credit reports or public records. You answer three or four questions, and if the answers are satisfactory, you move on to the next step. You print out a document with a registration number.
That step requires an appearance, in person, at the local airport with the Clear service counters. They check your registration, and you have to provide two forms of identification. One can be any government-issued picture ID. The other, however, must be a government-issued birth certificate or a valid passport. I tried to use a birth certificate issued by the hospital where I was born in 1955, but they refused to accept it. This required me to order a new BC from the state where I lived, and finsish the process another day.
Once that's finished, you stand at a kiosk and have all your fingerprints and one iris scanned. They save two or three of the fingerprints and the iris, and the data from both are eventually encoded into the chip on the smart card they issue you.
The wait for the card can be nearly a month.
As protective as I am of my privacy, I really didn't have a lot of issues with what I had to do to get this. I am an IT contractor and former federal employee, and I have a high security clearance. I had to give up a lot more during that investigation, including having family, friends and neighbors interviewed about my character. Since this is a requirement of the job, I have nothing in my past to hide, and it means a much higher salary, I'm not going to raise too much of a stink.
Clear, on the other hand, didn't get anything from me that isn't easily available (or steal-able) to anyone with a few dollars and a couple of private detectives on the Rolodex. Go to one of these "free credit report" sites and request to see what's on that thing. You have to answer some of those questions I mentioned before, and what they have is pretty interesting, and deep.
I'd be lying if I said this laptop theft doesn't worry me. I have the feeling that the idiot who stole it probably won't even look on the damn thing, and it will turn up, drive slicked, in some pawn shop.
In the meantime, I'll keep a close eye on everything sensitive (I get lots of practice at work).
And I'll still be jumping the line at the airport.
Joe Dougherty, Florida, USA
The words I thought I brought, I left behind. So, never mind.
So reports the SF Chronicle in an article from the AP:
(08-05) 11:59 PDT San Francisco, CA (AP) --
The company that runs an airport security prescreening program says they've found a laptop containing the personal information of 33,000 people more than a week after it apparently went missing.
...
The only reasonable thing that they did after 9/11 was lock the cockpit doors. Everything else is BS designed to make you think that they're doing something useful.
I have a feeling everyone on the plane would fight it.
You have a feeling? This was proven an hour and twenty minutes after the first plane hit the Twin Towers, by ordinary Americans correctly assessing the security situation over a field in Shanksville, PA.
Then we hardened the cockpit doors to make double-sure. Everything since then has been a distraction.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Many here are complaining of incompetence in the TSA and other government agencies.
Let me express my affinity with Sam Clemens, Thomas Jefferson and many others when I say: I prefer them this way and so should you. You have no idea how abhorrent the government could be with the trillions of dollars at their disposal. Let us pray they don't become more effective. Please?
Help stamp out iliturcy.
It concerns me that credit card numbers and social security numbers are these all-important pieces of "your identity" that must be carefully safeguarded at all costs. Nobody can know! Except all those entities that ask for then. Like these 'Clear' guys. And exactly 9,267 waiters.
Proof of identity that is equivalent to the identity itself, in entirety, hmmm? Why can any number of people impersonate you, but are trusted not to? Why can your identity be "stolen" from a third party?
I cry for the day when society at large discovers what the sweet loving fuck a private key is, and perhaps even a respectable comprehension of what defines "secure." Security is not so just because your government and the man in the uniform assures you that things are _better_ now, or even simply that the status quo is _perfectly fine_. It's a small subset of your typical Americans (in my experience) that when presented with the latest breakthrough in airport security, have a response beginning with "Couldn't they still just..."
Most are sheep. And a lot of the smarter ones still feel just a teensy bit better.
It doesn't take a hacker's mindset to poke holes in the elaborate security handwavings presented day to day. Do they not care?
Identity is a funny thing here. People are scared shitless of a big brother style national ID card, but line up for state drivers licenses, of which fakes are made plentiful to satisfy the desires of even the most low budgeted of teenagers. Supposedly the government knows you exist if you have a birth certificate. SSN supposedly optional, but I'd love to see someone try. But the government as well as everything private seems to forget who you are from building to building - each asking you again for that same basic info. In practice most things are just as anonymous as they are online. Go ahead, lie about whatever you want. See if they notice. I'm Nat Tellin half the time.
Think for a moment about how you would create a 'new' identity. How terribly possible it is to simply disappear, and pop up again somewhere else as a new person. Bonus points for looking totally benign under scrutiny - perhaps you 'immigrated' from Canada using some thin mask of false credential. Just as long as you keep telling the same lies to all the right people, really. At what point have you succeeded? Genuine but falsified photo id? SSN? Credit history?
All that defines you is ability to provide a series of opaque alphanumeric values that you freely give to most anyone, but are next to impossible to verify.
"Strangers have the best candy" -Me