from the your-middle-name-is-what-now? dept
The concept of a "trusted" or "verified" traveler program at airports has been shown as
not particularly secure for years -- but it didn't stop the TSA from aggressively rolling out the program. There's no doubt that, for frequent travelers to locations participating in the "Clear" program, it's wonderful. You pay $100/year and you get to bypass all the security lines, and head to a special faster security screening line, supposedly because your background is already "cleared." As Bruce Schneier writes in the above link, in terms of security, all this really does is give those looking to break security a better target. Get some "terrorists" on the list, and you've just made life a lot easier.
Either that, or pretend to be someone on the list.
And what better way to do that then to get your hands on the details of everyone on the list. Well, it appears that the TSA has forgotten its middle name, and
failed to protect its own laptop carrying the (unencrypted, of course) details of 33,000 people on the clear list (
Update: to clarify, the laptop was actually lost by a TSA vendor, but considering these were applications made to the TSA, it's not clear that the difference here really matters). While it certainly may have just been lost or stolen by someone who wanted a free laptop, whoever has that laptop now has the names, addresses and driver's license or passport numbers of 33,000 applicants. It's unclear if it indicates which of those applicants were approved, but I would still imagine that info would be useful to someone looking to bypass airport security.
The company that runs the program, Verified Identity Pass, issued statement that isn't particularly comforting:
"We don't believe the security or privacy of these would-be members will be compromised in any way."
First of all, that's not true. If you've exposed people's names, addresses and driver's license or passport numbers, their security has certainly already been compromised. But, more importantly, rather than those individuals' security and privacy, I would be worried about overall
airport security, which has now been compromised.
Update: So, this is weird. The laptop has been
found. Where was it? Right where it was last seen. Not clear if it was actually lost or someone just got confused or what -- but still not particularly comforting.
Filed Under: clear, laptops, lost data, security, tsa, verified identity
