Clear Registered Traveler Program enrollment is temporarily suspended
Technorati Tag: Security Breach
Date Reported:
8/5/08 (UPDATED 8/5/08)
Organization:
U.S. Government
Contractor/Consultant/Branch:
U.S. Department of Homeland Security
Transportation Security Administration
Verified Identity Pass, Inc.
Victims:
Airline passengers
Number Affected:
33,000
Types of Data:
"names, addresses, birthdates, and in some cases, driver's license and passport numbers"
Breach Description:
"The Transportation Security Administration suspended Verified Identity Pass from enrolling travelers in its pre-screening program after a laptop computer containing the records of 33,000 people went missing."
UPDATE:
"Officials with Verified Identity Pass, which operates the Clear program, said the laptop was found Tuesday morning in the same office where it supposedly had gone missing." (Source: )
Reference URL:
The Orlando Sentinel
KGO-TV Channel 7 News
Bloomberg News via The Washington Post
Report Credit:
Joseph Galante, Bloomberg News
Response:
From the online sources cited above:
The Transportation Security Administration suspended Verified Identity Pass from enrolling travelers in its pre-screening program after a laptop computer containing the records of 33,000 people went missing.
[Evan] From Clear's Commitment to Privacy: "Since our founding in 2003, we have been committed to the privacy and security rights of our members. We have created an exhaustive privacy and data security program and we will always clearly communicate any changes to that program with members." I don't doubt Clear's commitment. The "exhaustive privacy and data security program" missed the encryption of this laptop. Who would think to encrypt a laptop that may be used to access and/or store confidential information?
For the past year, travelers at SFO have had the option to enroll in the Clear Registered Traveler Program.
Those who sign up get a biometric ID card, which allows them to bypass regular security lines for $128 a year.
The company, based in New York, lost possession of the laptop July 26 at San Francisco International Airport.
The laptop contained unencrypted pre-enrollment records of individuals, the TSA said in a statement yesterday.
The laptop had the names, addresses and driver's license or passport numbers of mostly online applicants to the Registered Travel program, which allows customers to pass quickly through security checkpoints at 17 U.S. airports, the company said in an e-mailed statement.
"We don't believe the security or privacy of these would-be members will be compromised in any way," said Steven Brill, chief executive of Verified Identity Pass.
[Evan] I appreciate when a chief executive comments on information security matters. In my opinion it shows a sense of commitment. I have a slight problem with the "in any way" portion of his comment though.
The company says the thief would have to bypass two separate passwords to obtain any personal information.
[Evan] Big deal. I think it is more likely that the thief doesn't know or care what is on the laptop than it is that passwords would prevent access.
Verified Identity Pass has more than 200,000 customers.
It already started notifying the affected people about the breach.
The laptop was stolen from a locked office in the airport, the company said.
"There is a very bad sense of irony here, that a company entrusted in this kind of information or with this kind of information, somehow had a laptop computer stolen from its offices here," said Henry Harteveldt, an airline industry analyst from Forrester Research.
the Transportation Security Administration is temporarily prohibiting new customers from enrolling in the Clear program.
No telling how long the enrollment process will be suspended, the TSA says it will depend on how long it will take for the company that runs Clear to notify its applicants and improve the security on its computers.
[Evan] I don't often applaud government agency decisions, but I do applaud the TSA for enforcing information security policy and/or procedure with their service provider(s). I hope that the same holds true with all of their service providers, not just Clear.
"Basically what we're doing is we're downloading new software into all our laptops at the airports, more encrypted and revisiting all the enrollment procedures here," said David Pfeiffer, the Clear general manager.
Clear customers say the sooner the changes are made the better, although no one seemed too worried about the security breach.
[Evan] The people that aren't worried about breaches of security are perfect victims.
"You're information is everywhere and people volunteer their information on places like Facebook, on Twitter, on MySpace and stuff," said Giovanni Galluci, a traveler.
[Evan] This is a sad statement. Does this statement (in the context of the news article) demonstrate a justification that somehow it is OK to put confidential information at risk unnecessarily? Does this statement demonstrate a general lack of concern? Lack of concern makes people very easy prey.
"I guess this is just one of many ways that people can get our information. I mean you hear about it all the time, laptops being stolen," said Scott Buttles, a traveler.
[Evan] We read about confidential information stored on poorly secured stolen laptops at least weekly, but it doesn't make it right or acceptable. The people who deal in stolen information care quite a bit. They are making a living from it.
As for who stole the laptop in the first place, authorities are still investigating. There were no apparent signs of a break-in.
Commentary:
For those of you who have read Breach Blog postings before, you realize that a vast majority of the breaches I write about concern personally identifiable information. There are a couple of reasons for this; one, the information about the breaches is generally easy to find in news outlets, government web sites, and other blogs; and two if a breach affects someone personally, then they are more apt to be aware of the problem.
Many of the information security principles that I comment about hold true in their application to other types of sensitive information. Sensitive information might be medical information (PHI), intellectual property, trade secrets, patents, non-public financial information, marketing plans, etc., etc. If information is meant to be secret, it must be protected. If information is meant to be accurate, it must be protected. If information is meant to be available, it must be protected.
I could preach all day, but hopefully you get the point.
Past Breaches:
Transportation Safety Administration:
October, 2007 - Stolen laptops expose thousands of TSA records
January, 2008 - House committee issues report and finds fault with TSA web site
Verified Identity Pass, Inc:
Unknown
Date Reported:8/5/08 (UPDATED 8/5/08)
Organization:
U.S. Government
Contractor/Consultant/Branch:
U.S. Department of Homeland Security
Transportation Security Administration
Verified Identity Pass, Inc.
Victims:
Airline passengers
Number Affected:
33,000
Types of Data:
"names, addresses, birthdates, and in some cases, driver's license and passport numbers"
Breach Description:
"The Transportation Security Administration suspended Verified Identity Pass from enrolling travelers in its pre-screening program after a laptop computer containing the records of 33,000 people went missing."
UPDATE:
"Officials with Verified Identity Pass, which operates the Clear program, said the laptop was found Tuesday morning in the same office where it supposedly had gone missing." (Source: )
Reference URL:
The Orlando Sentinel
KGO-TV Channel 7 News
Bloomberg News via The Washington Post
Report Credit:
Joseph Galante, Bloomberg News
Response:
From the online sources cited above:
The Transportation Security Administration suspended Verified Identity Pass from enrolling travelers in its pre-screening program after a laptop computer containing the records of 33,000 people went missing.
[Evan] From Clear's Commitment to Privacy: "Since our founding in 2003, we have been committed to the privacy and security rights of our members. We have created an exhaustive privacy and data security program and we will always clearly communicate any changes to that program with members." I don't doubt Clear's commitment. The "exhaustive privacy and data security program" missed the encryption of this laptop. Who would think to encrypt a laptop that may be used to access and/or store confidential information?
For the past year, travelers at SFO have had the option to enroll in the Clear Registered Traveler Program.
Those who sign up get a biometric ID card, which allows them to bypass regular security lines for $128 a year.
The company, based in New York, lost possession of the laptop July 26 at San Francisco International Airport.
The laptop contained unencrypted pre-enrollment records of individuals, the TSA said in a statement yesterday.
The laptop had the names, addresses and driver's license or passport numbers of mostly online applicants to the Registered Travel program, which allows customers to pass quickly through security checkpoints at 17 U.S. airports, the company said in an e-mailed statement.
"We don't believe the security or privacy of these would-be members will be compromised in any way," said Steven Brill, chief executive of Verified Identity Pass.
[Evan] I appreciate when a chief executive comments on information security matters. In my opinion it shows a sense of commitment. I have a slight problem with the "in any way" portion of his comment though.
The company says the thief would have to bypass two separate passwords to obtain any personal information.
[Evan] Big deal. I think it is more likely that the thief doesn't know or care what is on the laptop than it is that passwords would prevent access.
Verified Identity Pass has more than 200,000 customers.
It already started notifying the affected people about the breach.
The laptop was stolen from a locked office in the airport, the company said.
"There is a very bad sense of irony here, that a company entrusted in this kind of information or with this kind of information, somehow had a laptop computer stolen from its offices here," said Henry Harteveldt, an airline industry analyst from Forrester Research.
the Transportation Security Administration is temporarily prohibiting new customers from enrolling in the Clear program.
No telling how long the enrollment process will be suspended, the TSA says it will depend on how long it will take for the company that runs Clear to notify its applicants and improve the security on its computers.
[Evan] I don't often applaud government agency decisions, but I do applaud the TSA for enforcing information security policy and/or procedure with their service provider(s). I hope that the same holds true with all of their service providers, not just Clear.
"Basically what we're doing is we're downloading new software into all our laptops at the airports, more encrypted and revisiting all the enrollment procedures here," said David Pfeiffer, the Clear general manager.
Clear customers say the sooner the changes are made the better, although no one seemed too worried about the security breach.
[Evan] The people that aren't worried about breaches of security are perfect victims.
"You're information is everywhere and people volunteer their information on places like Facebook, on Twitter, on MySpace and stuff," said Giovanni Galluci, a traveler.
[Evan] This is a sad statement. Does this statement (in the context of the news article) demonstrate a justification that somehow it is OK to put confidential information at risk unnecessarily? Does this statement demonstrate a general lack of concern? Lack of concern makes people very easy prey.
"I guess this is just one of many ways that people can get our information. I mean you hear about it all the time, laptops being stolen," said Scott Buttles, a traveler.
[Evan] We read about confidential information stored on poorly secured stolen laptops at least weekly, but it doesn't make it right or acceptable. The people who deal in stolen information care quite a bit. They are making a living from it.
As for who stole the laptop in the first place, authorities are still investigating. There were no apparent signs of a break-in.
Commentary:
For those of you who have read Breach Blog postings before, you realize that a vast majority of the breaches I write about concern personally identifiable information. There are a couple of reasons for this; one, the information about the breaches is generally easy to find in news outlets, government web sites, and other blogs; and two if a breach affects someone personally, then they are more apt to be aware of the problem.
Many of the information security principles that I comment about hold true in their application to other types of sensitive information. Sensitive information might be medical information (PHI), intellectual property, trade secrets, patents, non-public financial information, marketing plans, etc., etc. If information is meant to be secret, it must be protected. If information is meant to be accurate, it must be protected. If information is meant to be available, it must be protected.
I could preach all day, but hopefully you get the point.
Past Breaches:
Transportation Safety Administration:
October, 2007 - Stolen laptops expose thousands of TSA records
January, 2008 - House committee issues report and finds fault with TSA web site
Verified Identity Pass, Inc:
Unknown
Posted by Evan Francen at 8/5/2008 11:12 AM 
Categories: Verified Identity Pass, Transportation Security Administration, Stolen Laptop
Categories: Verified Identity Pass, Transportation Security Administration, Stolen Laptop
Posts Atom 1.0
Comments