TSA Loses Laptops With 'Verified' Flyer Details

from the your-middle-name-is-what-now? dept

The concept of a “trusted” or “verified” traveler program at airports has been shown as not particularly secure for years — but it didn’t stop the TSA from aggressively rolling out the program. There’s no doubt that, for frequent travelers to locations participating in the “Clear” program, it’s wonderful. You pay $100/year and you get to bypass all the security lines, and head to a special faster security screening line, supposedly because your background is already “cleared.” As Bruce Schneier writes in the above link, in terms of security, all this really does is give those looking to break security a better target. Get some “terrorists” on the list, and you’ve just made life a lot easier.

Either that, or pretend to be someone on the list.

And what better way to do that then to get your hands on the details of everyone on the list. Well, it appears that the TSA has forgotten its middle name, and failed to protect its own laptop carrying the (unencrypted, of course) details of 33,000 people on the clear list (Update: to clarify, the laptop was actually lost by a TSA vendor, but considering these were applications made to the TSA, it’s not clear that the difference here really matters). While it certainly may have just been lost or stolen by someone who wanted a free laptop, whoever has that laptop now has the names, addresses and driver’s license or passport numbers of 33,000 applicants. It’s unclear if it indicates which of those applicants were approved, but I would still imagine that info would be useful to someone looking to bypass airport security.

The company that runs the program, Verified Identity Pass, issued statement that isn’t particularly comforting:

“We don’t believe the security or privacy of these would-be members will be compromised in any way.”

First of all, that’s not true. If you’ve exposed people’s names, addresses and driver’s license or passport numbers, their security has certainly already been compromised. But, more importantly, rather than those individuals’ security and privacy, I would be worried about overall airport security, which has now been compromised. Update: So, this is weird. The laptop has been found. Where was it? Right where it was last seen. Not clear if it was actually lost or someone just got confused or what — but still not particularly comforting.

Filed Under: , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “TSA Loses Laptops With 'Verified' Flyer Details”

Subscribe: RSS Leave a comment
John (profile) says:

TSA didn't lose it....

Unless those other news reports had it wrong, the company Verified Identity Pass owned and colected the data and failed to encrypt it. It was in a locked office, but then my house was locked when we were burgled, so …

Point is that if you wish to blast someone for not taking security seriously, in this case it’s hard to see why TSA is getting blamed.

Lickity Split says:

Re: TSA didn't lose it....

because the TSA contracted this company to do the work and paid them with taxpayer money, so legally they are the responsible party.

Would you give the TSA as an organization a pass because one “employee” let a terrorist through the check point with a bomb…”hey man it’s not the TSA’s fault it was that one guy that let him in”…

Larry says:

Re: Re: TSA didn't lose it....

Not true. Like you, I haven’t read the contract but I’ve read a lot of them and I’m pretty sure there will be all the proper legalese in there concerning data protection from loss/destruction/misuse.

Unless SOMEHOW that detail wasn’t in the contract, then the contractor is fully responsible (both legally and morally) and the TSA is not.

Won’t stop the bad press and TSA bashers (of which I’m one) however.

JB says:

Background Doesn't Matter On My Flight

Who cares if their background is pre-cleared?

All that really matters is today, right now, are they carrying a bomb or a weapon?

All passengers need the same pre-flight screening. I don’t care if Osama Bin Laden himself is sitting next to me on a plane, as long as he doesn’t have a bomb or a box cutter in his briefcase.

ScaredOfTheMan says:

identity theft yes, security risk for flights....not so much

This is really bad news for those people on the list, now if that data falls into unscrupulous hands someone will assume their identity and do the awful things to their credit.

But to assume their identity to get on a plane will be a little more difficult as you will need to pass a retina scan (part of the Clear enrollment) before you get passed the gate.

tm says:

Laptop Encryption Question

I had a friend at GE in the financial dept under the large hospital equipment dept. He had a work laptop that somehow that this encryption key and a fob that changed digits like every 30 seconds. Whenever he used his laptop, he had to enter this code from the fob. The idea was that if he ever lost or got his laptop stolen, the person who had the laptop could not access the hd contents unless they had this code, only found on his fob.

Do our gov’t agencies or organizations as large as the TSA with private info not use security like this? And if they do, should we really be all that worried about the info on these computers?

Estelle says:

Re: Laptop Encryption Question

I have one of those fob gadgets for my Paypal account. When I want to log into my Paypal account, I have to type in my username and password and then on a second screen I am asked to press the button on the handheld gadget, which creates a 3 digit code that is good for 30 seconds. I am then required to type in that 3 digit code and hit the Enter key. I’m a tech and I have no idea how this damned thing works.

Osama Bin Hidin' says:

99% of the companies that the Government contracts things out to are incompetent to do the work they’re contracted for. Everything gets “fast tracked” into some Senator’s buddy or fund raiser’s nephew’s company, and the only ones who get screwed are the public. I used to work for the TSA, back when it was founded. There were a lot of highly qualified, highly motivated people who were very concerned about this country’s security. When it became clear that most of those running the organization (political appointees) were only interested in looking like they were doing something, rather than actually making things secure, most of us left. You don’t need a screened passenger to put a bomb on board a plane, the non-US citizens who clean the airport bathrooms can do it, as they go through no screening whatsoever on a daily basis, and have access to all the secure areas of the airport.

to continue says:

Re: Re:

Sure, they face an “initial” background check, but who’s to say that the “Manuel Labor” that shows up on Tuesday is the same guy who passed the background check? Nobody checks them as they come and go, and while they have picture ID cards, so do guys on the streetcorners of East L.A., and for $30, you can have one too.

iblanetheirmom says:

TSA is a JOKE!!

for the past three months I have flown 1-3 flights a week. Countless hours lost to retarded lines that make me feel no safer to fly than pre 9-11. We have basicly hired McDonalds drive through qualified individuals, paid them way to much money to automatically assume that every American is a terroris. Every airport seems to have different search proceedures, different treatment of fliers but they all have one thing in common, their job is a joke, “Homeland Security” is a joke, give me my rights back, my time back, and stop creAting another tier of society, those that can buy their freedoms and those who are criminal for not proving otherwise by being forced to allow an unlawful search of personal property.

Ryan (profile) says:

the real question

The real question I keep asking whenever I read about these things is:

Why is this data on a laptop to begin with?

I keep hearing of all these stories, and I find no reason why all these laptops have plain text files of all this data on them. It shouldn’t be sitting around in plain text, and it shouldn’t be on laptops.

This is what VPN is for people.

Is it time for a law against storing CC#, DLN, Passport, or SSN information on any portable device?

Enrico Suarve says:

A farce from begining to end

Couple of things:

1) Before Osama turned ‘bad’, before he was friends with the CIA, before all that, he was the son of a very well respected family (shake hands with the Bushes and all that good stuff) – who says that just because you aren’t a threat today you won’t be tomorrow?. Therefore the whole concept of a ‘Clear’ list is ridiculous

2) As noted by other posters the quality of staff enforcing the ‘rules’ isn’t exactly sky high. I don’t know what it’s like in the US at the moment, but whenever I fly from the UK I take one look at the spotty reject nosing through my hand luggage and think “If you’re the last line of defense between me, and a criminal mind so ingenious they can make a bomb out of 101ml of water then I am so DEAD!”

3) If you contract out work to the lowest bidder (or let’s be honest your best mate), no matter how much legalese you get them to sign and whether or not you are legally liable its still YOUR FAULT when something goes wrong. You trusted someone who was not worthy of trust. The same people who are saying otherwise in this thread are probably the exact same people who would jump all over me if I were to double click on every attachment which came from someone I tusted

4) The laptop was ‘found’ – yeah right, translation: “We are getting shit loads more flak from this than we expected and since we still have copies of the data you can’t prove anything”. Whether it was found or not the best that can be said is that this sensitive information is revealed to be stored on an unencrypted portable device, which they do not keep good tabs on and have no idea where it is some of the time. Serious security that!

5) As for the statement “Yes, it was sensitive privacy information, but not the stuff that was most sensitive”, translation: “We store that on a CD…”. Once you have got to the point where you have stolen 33,000 ($3.3million TSA dollars worth incidentally) records containing enough information to potentially clone supposedly ‘safe’ IDs, does it really matter if you didn’t managed to get their sexual preferences?

llorgam says:

get it straight

“(Update: to clarify, the laptop was actually lost by a TSA vendor, but considering these were applications made to the TSA, it’s not clear that the difference here really matters).”

no it was NOT the TSA that lost the laptop: it was a PRIVATE firm whose office was broken into. Granted, the laptop was not encrypted (a cost saving measure — private firms do that a lot nowadays). The office was at SFO, so the airport didn’t provide strong doors(?).

the program is supported by user fees, so tax dollars are not as much an issue.

Try to keep it straight — or at least share the stuff you’re smoking

Howard_NYC says:

Q: if they cannot guard a laptop, how can they protect an airport?

Q: if they cannot guard a laptop, how can they protect an airport?

the deal was, citizens would trade comfort for safety… and now we have neither…

if TSA keeps this or any other vendor capable of such a knucklehead play, there should be terminations of senior managers…

the C-levels at the vendor should be asked to step down — today

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...