TSA Loses Laptops With 'Verified' Flyer Details

from the your-middle-name-is-what-now? dept

The concept of a "trusted" or "verified" traveler program at airports has been shown as not particularly secure for years -- but it didn't stop the TSA from aggressively rolling out the program. There's no doubt that, for frequent travelers to locations participating in the "Clear" program, it's wonderful. You pay $100/year and you get to bypass all the security lines, and head to a special faster security screening line, supposedly because your background is already "cleared." As Bruce Schneier writes in the above link, in terms of security, all this really does is give those looking to break security a better target. Get some "terrorists" on the list, and you've just made life a lot easier.

Either that, or pretend to be someone on the list.

And what better way to do that then to get your hands on the details of everyone on the list. Well, it appears that the TSA has forgotten its middle name, and failed to protect its own laptop carrying the (unencrypted, of course) details of 33,000 people on the clear list (Update: to clarify, the laptop was actually lost by a TSA vendor, but considering these were applications made to the TSA, it's not clear that the difference here really matters). While it certainly may have just been lost or stolen by someone who wanted a free laptop, whoever has that laptop now has the names, addresses and driver's license or passport numbers of 33,000 applicants. It's unclear if it indicates which of those applicants were approved, but I would still imagine that info would be useful to someone looking to bypass airport security.

The company that runs the program, Verified Identity Pass, issued statement that isn't particularly comforting:
"We don't believe the security or privacy of these would-be members will be compromised in any way."
First of all, that's not true. If you've exposed people's names, addresses and driver's license or passport numbers, their security has certainly already been compromised. But, more importantly, rather than those individuals' security and privacy, I would be worried about overall airport security, which has now been compromised. Update: So, this is weird. The laptop has been found. Where was it? Right where it was last seen. Not clear if it was actually lost or someone just got confused or what -- but still not particularly comforting.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Anonymous Coward, Aug 5th, 2008 @ 12:30pm

    The TSA is a joke. They are on par with the same idiots in charge of security at your average branded community.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    John, Aug 5th, 2008 @ 12:31pm

    TSA didn't lose it....

    Unless those other news reports had it wrong, the company Verified Identity Pass owned and colected the data and failed to encrypt it. It was in a locked office, but then my house was locked when we were burgled, so ...

    Point is that if you wish to blast someone for not taking security seriously, in this case it's hard to see why TSA is getting blamed.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Lickity Split, Aug 5th, 2008 @ 12:37pm

    Re: TSA didn't lose it....

    because the TSA contracted this company to do the work and paid them with taxpayer money, so legally they are the responsible party.

    Would you give the TSA as an organization a pass because one "employee" let a terrorist through the check point with a bomb..."hey man it's not the TSA's fault it was that one guy that let him in"...

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    JB, Aug 5th, 2008 @ 12:41pm

    Background Doesn't Matter On My Flight

    Who cares if their background is pre-cleared?

    All that really matters is today, right now, are they carrying a bomb or a weapon?

    All passengers need the same pre-flight screening. I don't care if Osama Bin Laden himself is sitting next to me on a plane, as long as he doesn't have a bomb or a box cutter in his briefcase.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    dcg, Aug 5th, 2008 @ 1:41pm

    Re: Background Doesn't Matter On My Flight

    You say that but it's not true...

    OBL would be a real PITA to sit next to: constantly calling you an infidel dog, bitching about the violations of the Koran all around him, and I'll bet you $100 he snores...

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    ScaredOfTheMan, Aug 5th, 2008 @ 1:47pm

    identity theft yes, security risk for flights....not so much

    This is really bad news for those people on the list, now if that data falls into unscrupulous hands someone will assume their identity and do the awful things to their credit.

    But to assume their identity to get on a plane will be a little more difficult as you will need to pass a retina scan (part of the Clear enrollment) before you get passed the gate.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    Anonymous Coward, Aug 5th, 2008 @ 1:53pm

    Re: Background Doesn't Matter On My Flight

    There are no terrorists. They only exist as a way of keeping you scared, keeping you a sheep in the system.

    It's nothing more than a social control device.

    Here, let me say it so you'll understand:
    "baa, baa baa, baa."

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    tm, Aug 5th, 2008 @ 1:59pm

    Laptop Encryption Question

    I had a friend at GE in the financial dept under the large hospital equipment dept. He had a work laptop that somehow that this encryption key and a fob that changed digits like every 30 seconds. Whenever he used his laptop, he had to enter this code from the fob. The idea was that if he ever lost or got his laptop stolen, the person who had the laptop could not access the hd contents unless they had this code, only found on his fob.

    Do our gov't agencies or organizations as large as the TSA with private info not use security like this? And if they do, should we really be all that worried about the info on these computers?

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Larry, Aug 5th, 2008 @ 2:05pm

    Re: Re: TSA didn't lose it....

    Not true. Like you, I haven't read the contract but I've read a lot of them and I'm pretty sure there will be all the proper legalese in there concerning data protection from loss/destruction/misuse.

    Unless SOMEHOW that detail wasn't in the contract, then the contractor is fully responsible (both legally and morally) and the TSA is not.

    Won't stop the bad press and TSA bashers (of which I'm one) however.

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Osama Bin Hidin', Aug 5th, 2008 @ 2:07pm

    99% of the companies that the Government contracts things out to are incompetent to do the work they're contracted for. Everything gets "fast tracked" into some Senator's buddy or fund raiser's nephew's company, and the only ones who get screwed are the public. I used to work for the TSA, back when it was founded. There were a lot of highly qualified, highly motivated people who were very concerned about this country's security. When it became clear that most of those running the organization (political appointees) were only interested in looking like they were doing something, rather than actually making things secure, most of us left. You don't need a screened passenger to put a bomb on board a plane, the non-US citizens who clean the airport bathrooms can do it, as they go through no screening whatsoever on a daily basis, and have access to all the secure areas of the airport.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    to continue, Aug 5th, 2008 @ 2:10pm

    Re:

    Sure, they face an "initial" background check, but who's to say that the "Manuel Labor" that shows up on Tuesday is the same guy who passed the background check? Nobody checks them as they come and go, and while they have picture ID cards, so do guys on the streetcorners of East L.A., and for $30, you can have one too.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Anonymous Kansas Coward, Aug 5th, 2008 @ 2:20pm

    Re: Re: Background Doesn't Matter On My Flight

    #7, you're an idiot. Have you ever heard of the World Trade Center?

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Estelle, Aug 5th, 2008 @ 2:31pm

    Re: Laptop Encryption Question

    I have one of those fob gadgets for my Paypal account. When I want to log into my Paypal account, I have to type in my username and password and then on a second screen I am asked to press the button on the handheld gadget, which creates a 3 digit code that is good for 30 seconds. I am then required to type in that 3 digit code and hit the Enter key. I'm a tech and I have no idea how this damned thing works.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Steve, Aug 5th, 2008 @ 2:52pm

    Does it matter? Its not like our government is computer literate or will be for that matter. Just ask Lee Gomes at the WSJ. HA!

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Anonymous Coward, Aug 5th, 2008 @ 2:55pm

    Re: Re: Re: Background Doesn't Matter On My Flight

    This is a stupid conversation. #7 and #12, both of you shut up, thank you.

     

    reply to this | link to this | view in thread ]

  16.  
    identicon
    Enis McGee, Aug 5th, 2008 @ 3:45pm

    Another one, or same one?

    Is this the "missing laptop" you speak of? or another security breach?

    http://www.bizjournals.com/eastbay/stories/2008/08/04/daily32.html

     

    reply to this | link to this | view in thread ]

  17.  
    identicon
    iblanetheirmom, Aug 5th, 2008 @ 3:53pm

    TSA is a JOKE!!

    for the past three months I have flown 1-3 flights a week. Countless hours lost to retarded lines that make me feel no safer to fly than pre 9-11. We have basicly hired McDonalds drive through qualified individuals, paid them way to much money to automatically assume that every American is a terroris. Every airport seems to have different search proceedures, different treatment of fliers but they all have one thing in common, their job is a joke, "Homeland Security" is a joke, give me my rights back, my time back, and stop creAting another tier of society, those that can buy their freedoms and those who are criminal for not proving otherwise by being forced to allow an unlawful search of personal property.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    Ryan, Aug 5th, 2008 @ 5:04pm

    the real question

    The real question I keep asking whenever I read about these things is:

    Why is this data on a laptop to begin with?

    I keep hearing of all these stories, and I find no reason why all these laptops have plain text files of all this data on them. It shouldn't be sitting around in plain text, and it shouldn't be on laptops.

    This is what VPN is for people.

    Is it time for a law against storing CC#, DLN, Passport, or SSN information on any portable device?

     

    reply to this | link to this | view in thread ]

  19.  
    identicon
    Perry Masonary, Aug 5th, 2008 @ 5:14pm

    Another chapter in the continuing saga of

    they do not give a rats ass about whether your personal information is kept secure or is divulged

    Companies, government, your doctor ... they do not have a reason to care.

    One of these days someone will take them to court.

     

    reply to this | link to this | view in thread ]

  20.  
    identicon
    Anonymous Coward, Aug 5th, 2008 @ 8:00pm

    Re: Re: Re: Background Doesn't Matter On My Flight

    those terrorists mostly blew themselves up. now are any left?

     

    reply to this | link to this | view in thread ]

  21.  
    identicon
    Anonymous Coward, Aug 5th, 2008 @ 10:33pm

    In the interest of security the first thing that needs to be done is to put those 33,000 people whose identities have been compromised straight onto the no-fly list.

    On the bright side, at least the TSA has a ready supply of potential replacement laptops to pick from.

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Enrico Suarve, Aug 6th, 2008 @ 3:57am

    A farce from begining to end

    Couple of things:

    1) Before Osama turned 'bad', before he was friends with the CIA, before all that, he was the son of a very well respected family (shake hands with the Bushes and all that good stuff) - who says that just because you aren't a threat today you won't be tomorrow?. Therefore the whole concept of a 'Clear' list is ridiculous

    2) As noted by other posters the quality of staff enforcing the 'rules' isn't exactly sky high. I don't know what it's like in the US at the moment, but whenever I fly from the UK I take one look at the spotty reject nosing through my hand luggage and think "If you're the last line of defense between me, and a criminal mind so ingenious they can make a bomb out of 101ml of water then I am so DEAD!"

    3) If you contract out work to the lowest bidder (or let's be honest your best mate), no matter how much legalese you get them to sign and whether or not you are legally liable its still YOUR FAULT when something goes wrong. You trusted someone who was not worthy of trust. The same people who are saying otherwise in this thread are probably the exact same people who would jump all over me if I were to double click on every attachment which came from someone I tusted

    4) The laptop was 'found' - yeah right, translation: "We are getting shit loads more flak from this than we expected and since we still have copies of the data you can't prove anything". Whether it was found or not the best that can be said is that this sensitive information is revealed to be stored on an unencrypted portable device, which they do not keep good tabs on and have no idea where it is some of the time. Serious security that!

    5) As for the statement "Yes, it was sensitive privacy information, but not the stuff that was most sensitive", translation: "We store that on a CD...". Once you have got to the point where you have stolen 33,000 ($3.3million TSA dollars worth incidentally) records containing enough information to potentially clone supposedly 'safe' IDs, does it really matter if you didn't managed to get their sexual preferences?

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    llorgam, Aug 6th, 2008 @ 5:37am

    get it straight

    "(Update: to clarify, the laptop was actually lost by a TSA vendor, but considering these were applications made to the TSA, it's not clear that the difference here really matters)."

    no it was NOT the TSA that lost the laptop: it was a PRIVATE firm whose office was broken into. Granted, the laptop was not encrypted (a cost saving measure -- private firms do that a lot nowadays). The office was at SFO, so the airport didn't provide strong doors(?).

    the program is supported by user fees, so tax dollars are not as much an issue.

    Try to keep it straight -- or at least share the stuff you're smoking

     

    reply to this | link to this | view in thread ]

  24.  
    identicon
    Anonymous Coward, Aug 6th, 2008 @ 7:14am

    Re: get it straight

    no it was NOT the TSA that lost the laptop: it was a PRIVATE firm whose office was broken into.
    Yeah. A private firm employed by the TSA. So you're trying to argue that the TSA isn't responsible for the actions of those it employs?

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Aug 6th, 2008 @ 7:17am

    The laptop was "found"? If it was there, and then it wasn't, and then it was, you'd better opperate on the assumption that everything on it has been compromised. It's not like the data couldn't be copied and the physical device returned.

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    Mike, Aug 6th, 2008 @ 1:18pm

    Giving so much power to the uneducated...

    Would YOU work for the TSA? Enough said. I can't trust the Khmer Rouge types at all!

     

    reply to this | link to this | view in thread ]

  27.  
    identicon
    Mike again, Aug 6th, 2008 @ 1:26pm

    Laptops multiplied by airports...

    Does this mean that they have UNENCRYPTED laptops that can be easily STOLEN at every major airport in the US? Sensitive info should never be stored on laptops or on networked computers.

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Howard_NYC, Aug 11th, 2008 @ 5:24pm

    Q: if they cannot guard a laptop, how can they protect an airport?

    Q: if they cannot guard a laptop, how can they protect an airport?

    the deal was, citizens would trade comfort for safety... and now we have neither...

    if TSA keeps this or any other vendor capable of such a knucklehead play, there should be terminations of senior managers...

    the C-levels at the vendor should be asked to step down -- today

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This