According to news reports, an unencrypted laptop containing personal identification information for 33,000 registrants for the “Clear” program was stolen recently from an office at San Francisco International Airport. For those unfamiliar with “Clear”, it is used by several major airports to allow pre-screened flyers to bypass regular security lines. Their customers pay an annual membership fee to be a part of the program and go through a more in-depth screening process that involves submitting to a background check and threat assessment as well as providing biometric data in the form of finger prints and iris scans. As usual, the Breach Blog has a good summary of what’s known so far about the breach.

From The Orlando Sentinel:

“The Transportation Security Administration said it has instructed all airports that contract with Verified Identity Pass Inc. — which operates the “Clear” program at OIA and nearly 20 other airports across the country — to suspend enrollment in the service and to secure all unencrypted computers until encryption software is installed. The agency also instructed San Francisco International Airport, where the laptop was lost, to ensure that Verified Identity Pass immediately contacts everyone whose personal information was stored on the missing computer.”

Verified Identity Pass claims the stolen laptop contained less sensitive information like driver’s license numbers and passport numbers but not any credit-card numbers, social security numbers or biometric information. That’s good, but it doesn’t shake the fact that the stolen laptop was unencrypted in the first place.

For the service they provide, it’s hard to believe the company didn’t consider laptop theft to be a serious enough business risk to warrant the cost of encryption. Even though the compromised information wasn’t as sensitive as it could have been, they’re still losing revenue from new enrollees (at least temporarily) and they’re most likely going to have to deal with increased scrutiny from the TSA. Trust wasn’t broken, but it was surely weakened.

What if it they weren’t as lucky and there happened to be biometric data or social security numbers on the stolen laptop? You shouldn’t base your security efforts on improbable “what ifs”, but can anyone honestly say this is improbable anymore with all the breach notices and stolen laptops reported in the last few years?

Update: Seems Rothman ran into this in ATL on his way to Vegas for Blackhat.

Update 2: Turns out the missing laptop was found. In the same office. Just in a different spot. Either someone jumped the gun on declaring the laptop missing or whoever took it was able to sneak it back into the locked office without anyone noticing. Perhaps it’s a really tiny and inconspicuous laptop? Maybe a MacBook Air? Wouldn’t be the first time one of these has caused problems with airport security… /snark

This entry was posted on Wednesday, August 6th, 2008 at 5:06 pm and is filed under General.