"Clear" Air-Travel Pass Data Stolen From SFO

Kozar_The_Malignant writes "A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised."

Security theatre

[BWJones]

To have a company intimately involved with *security* not apparently able to manage their own security in a manner that protects the country and their customers is a joke. Fine... having a laptop stolen is common enough and I don't fault them, but having unencrypted data of 33,000 of your customers on that laptop is a crime.

  I never liked the idea of handing over private information in the security theatre that our nation has become, but events like this where private companies motivated by the lowest common denominator really get under ones skin. Why the data was stored in unencrypted formats is inexcusable. I don't know what the penalty should be for something like this, but it should be commensurate with the potential damage it could cause.

The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently. When the government then has to police these private companies like the TSA is apparently having to now do, the concept is made moot. So.... our options are to continue to live the security theatre with private companies like this or turn the job back over to the government (who's job it to ensure safety of travel and should not have been in the business of verifying identity for air travel anyway).

Or... we could go back to the way things were when I could carry pocket knives on planes. (I also remember when you could carry long guns on planes back in the late 80's/early 90's.)

Re:Security theatre

[boaworm]

Yea, and this also brings some interesting light to the issue with "If you have nothing to hide, why don't you want to provide us with your [biometrics|passport|id|*]" argument.

Refusing to give away address, email, phones, SSID along with fingerprints is almost considered a crime in itself right now, since if you are not planning on terrorist activities, you don't have anything to hide, have you!?

But here, perfectly innocent people suddenly have all their personal information spread to criminal groups or whoever end up being the buyer of this information.

Scary stuff...

Re:Security theatre

[Cruciform]

The whole point of outsourcing information and jobs like this to the private sector is to get the job done better and more efficiently.

That might be the point for you, but for the government officials there are other points to consider:

1) Who bid the lowest.
2) Will the company chosen contribute enough money to my/our campaign in the future.
3) Is there a way I can profit from my choice of contractor.

The idea that someone would believe a company is chosen for its actual merits is ludicrous.

Re:Security theatre

The idea that someone would believe a company is chosen for its actual merits is ludicrous.

Well, choosing a company based on something abstract like merits is illegal because it's often used to hide #2 and #3. Price is the only consideration you are allowed. Yes, it's stupid, but it's the way the taxpayer demands it be done.

Honestly, do you think larger corporations are any different? Deals are always given to good old boy friends who will give you something later. It's not even illegal, like it is in government.

Re:Security theatre

[greedyturtle]

This is a brilliant paper that sums it all up. It was posted on ./ a few years back, couldn't find the ./ story but I did find the paper:

I've Got Nothing to Hide and Other Misunderstandings of Privacy

Re:Security theatre

[JCSoRocks]

What is it with planes? The only reason planes were so effective in 9/11 is because they TOOK IT OVER and FLEW IT INTO A BUILDING. That sort of thing won't happen again. I have a feeling everyone on the plane would fight it. Continuing to secure them like they're bloody fort knox is ridiculous. If the only reason we're worried about it is the potential for loss of human life... we're wasting our time. Why bomb one plane when you could blow up a whole airport terminal? Anyone remember Oklahoma city? Much more devastating than just a plane blowing up in mid-flight.

Don't get me wrong. I'm all about security where it's needed and where it's appropriate. I'd prefer not to be killed by a terrorist just as much as the next guy... but we've got to maintain some perspective here. You can't stop someone willing to commit suicide from killing people. Look at that guy in Japan that ran over people in a mall with a truck and then started stabbing people. He was armed with a KNIFE.

Throwing away our rights for the illusion of security depresses me.

Re:Security theatre

Nice to see the almost automated partisan knee-jerk moderating system is still working.

Bury my posts as trolling as fast as you can. It's not /. it's digg!

I was going to mod you troll, but you genuinely seem to not understand the moderation, so I thought this might be more educational.

Your posts are moderated as "troll" because your argument is poorly reasoned, poorly expressed, and wholly inflammatory. You fail to address the claims of "security theater" (ie, why identity verification increases safety of travel), and instead provide a fallacious and derogatory argument.

Your blaming this on partisanship only demonstrates a total lack of cognizance of your churlish use of logical fallacies to further a point, and moderation as "troll" is well deserved.

This is slashdot, not digg, and I hope that we have the capability to hold discourse to a higher standard.

Re:Security theatre

[Muad'Dave]

Asking someone to show ID to get on a plane seems reasonable to me.

How does knowing a passenger's identity increase your safety aboard an airplane? I'd rather allow anonymous travel and require mandatory pat-downs than believe I'm any safer because some government hack knows the name of the guy that's willing to die so he can kill a few others.

So much for not needing 'papers' to travel inside the US.

Lack of proper management

[ds_job]

Please tell me that there is going to either be prison time or a huge *personal* fine for the CEO of the tinpot company who thought that a lock and key was enough security. I'n not talking about firing the person who left it there or proped the door open to do the vacuuming, but the person at the top who says "Yes, this is cost effective and proper." We need to have people at board level think twice about storing our data so shockingly badly.

Skeptical

[PPH]

I'm becoming quite skeptical about this whole 'stolen laptop' B.S. After the first few big news stories, I'd expect most corporations to have strict guidelines in place to prevent this sort of thing. And a policy of coming down hard, very hard, on violators.

I wonder how much one can get per personnal record for selling this sort of data to organized crime. And cover your ass by reporting a stolen laptop.

Re:$128, not $100

[seanonymous]

They charge a one-time fee of $28 to encode your data with an encryption algorithm known as 'plain text.'

What was that info doing on a laptop?

[Animats]

What was that info doing on a laptop? That in itself is very suspicious. Nobody should have a full list of the "approved people" outside of an database where each access is logged. That's info a terrorist group would want. It gives them a list of people who won't be searched. Those are the ones to exploit to get something past security.

The laptop disappeared from a locked room at an airport. This wasn't an ordinary laptop theft. TSA has to assume that the database is now in hostile hands. So now everyone with a "Clear" card should be subjected to extra searches.

Let's check out the "Clear" privacy policy. "Clear and its subcontractors, pursuant to legal agreements, have a comprehensive information security program to ensure the privacy of Clear applicants and members as well as the integrity of our systems. We apply ID's and passwords to insure that access to systems and data is only on a need-to-know basis. We use encryption (a strong data coding process) for all program sensitive data communications." ... "In the highly unlikely event that a member is the victim of identity theft (defined as the taking of a member's personal information so that fraudulent transactions are made in the member's name) that is the result of any unauthorized dissemination by Clear or its subcontractors, or theft from Clear or its subcontractors, of the member's personal data collected by Clear, we will reimburse the member for any otherwise unreimbursable monetary costs directly resulting from such Identity Theft. In addition, Clear will, at its own expense, offer any such member assistance in restoring the integrity of the member's financial or other accounts." ... "Clear has appointed an independent, outside Privacy Ombudsman, Law Professor Paul Schwartz, noted privacy expert and advocate. He will be identified to members as the person to contact if a member has a privacy complaint or privacy problem with administration of the Clear system or fidelity to our published Privacy Policies. The Independent Privacy Ombudsman is empowered to investigate all privacy complaints, gather the facts, and respond to members, as well as to post responses publicly and prominently on our website."

Yet there's no announcement of the security breach on the Clear web site.

Oh Please

[mpapet]

Having worked the contractor side of Identity projects, I promise you the story as provided in the summary is the working norm.

Unsecured computers in the field with live identity information? Check.

Multiple copies of identity information floating around? Check.

Many **totally** unaware employees in the field with private data? Check.

Many **totally** unaware employees at the contractor's office passing private data? Check.

It boggles my mind anyone would believe it's better than that. The contractor suffers no consequences and the burden falls on the individual.

Which, is why the rules, regs, and standards for handling private information is ***perfectly*** designed in the U.S. Not that any of you would get off your collective asses and do anything to change it.

Private information stolen from CLEAR

See, this is exactly why I gave them a fake name, address, and SSN when I enrolled in CLEAR.

Simple solution

[John+Hasler]

Just add all those names to the no-fly list.