Clear Card Security Breached

 Rob Cimino, Senior VP of Clear member services demonstrates the use of the machine.  Close up photo shows  Rob Cimino, Senior VP of Clear member services him,  placing his finger on the finger print reader.The company that’s contracted to provide Clear Card, the TSA’s handy-dandy system for screening out terrorists (or, at least, providing people willing to shell out 150 bucks slightly shorter lines) has managed to lose its customers’ sensitive data and compromise the entire system.

The company that runs the Clear system, which speeds customers through airport screenings, has been prevented from enrolling new customers by the T.S.A. after a security breach affecting some 33,000 customers.

Verified Identity System’s Clear program allows passengers to scan their smart cards at a kiosk for a speedier security screening. T.S.A. spokesperson Ann Davis told CBS an unencrypted computer storing the personal information on the cards went missing from SFO on July 26th.

Davis said VIP is a privately run company that the airport provides with background checks of enrolled customers. Now the company must suspend new enrollments, notify affected customers, and secures computers until they can install encryption.

Current Clear customers will still be able to use their cards while the breach is sorted out.

This isn’t really surprising, considering that the geniuses behind this system didn’t figure out that it would be useful to include a photo ID on the card, something that would have been obvious to the average 5-year-old. This, even though they actually take your picture for no apparent reason.

Then again, coming back from Canada Saturday morning, my wife and I had to go through U.S. Customs on the Canadian side of the border, standing in an inordinately long line.  No worries:  There’s a separate line for those who have submitted themselves for security pre-screening and obtained a card from TSA.  D’oh: But not the Clear card but rather something called “NEXUS” which apparently only works for those going between the U.S. and Canada.

You can’t make this stuff up.

Please follow and like us:
FILED UNDER: General, , , , , , , , ,
James Joyner
About James Joyner
James Joyner is Professor and Department Head of Security Studies at Marine Corps University's Command and Staff College and a nonresident senior fellow at the Scowcroft Center for Strategy and Security at the Atlantic Council. He's a former Army officer and Desert Storm vet. Views expressed here are his own. Follow James on Twitter @DrJJoyner.

Comments

  1. fredw says:

    If terrorists get that data they will have 33,000 safe prescreened names to use to get on flights. Just to be safe, I suppose that now we will put all 33,000 names on the no fly list.

  2. …until they can install encryption.

    WTF? This is criminally incompetent for a security vendor.

  3. Boyd says:

    fredw: Having the name (or even the rest of the data on the missing computer) isn’t sufficient. It would get them closer to their goal, but by itself, it’s not enough.

  4. Anon says:

    What’s disconcerting about this, is that it seems the laptop was stolen from a locked office. In other words, it seems to have been a targeted theft, though perhaps it was merely stolen for identify theft purposes rather than something scarier. Let’s hope that it was just misplaced, and will turn up later under a pile of papers, or something.

  5. fredw says:

    Boyd – Read the news stories on this. Those files contain ALL of the security information on the customers; name, address, dob, ssn, passport number, etc. This is an identity theft kit containing the identities of 33,000 people who are guaranteed to pass security checks. It is naive to think this is not a serious security risk. To keep us safe these names must be put on the list and subject to increased checks at the airport.

  6. sam says:

    Then again, coming back from Canada Saturday morning

    Your laptop make it through unscathed?

  7. James Joyner says:

    Your laptop make it through unscathed?

    The screening was perfunctory even though we had a laptop for our carry-on. There was simply a very long line ahead of us even though it was early on a Saturday morning.

  8. graywolf says:

    Just another incident in the ongoing saga of government stupidity.
    Have we forgotten that 9/11 might have been prevented, if not for the gross incompetence of the government pencil-necks – who wouldn’t last until lunch in a real job, and none of whom had their worthless asses thrown out?

  9. anjin-san says:

    who wouldn’t last until lunch in a real job, and none of whom had their worthless asses thrown out?

    RE: Bush… I could not agree more.

  10. Michael says:

    WTF? This is criminally incompetent for a security vendor.

    I agree, unfortunately it’s pretty much par for the course. No large company seems to understand fundamental electronic security.

    Let’s hope that it was just misplaced, and will turn up later under a pile of papers, or something.

    Hell, that’d be even scarier. If someone wanted to use this information to breach security, they wouldn’t let it be known that it had been taken. If it “turns up”, it still shouldn’t be trusted anymore, every last name on that list should now be suspect, more so than a random name not on the list.

    Have we forgotten that 9/11 might have been prevented, if not for the gross incompetence of the government pencil-necks – who wouldn’t last until lunch in a real job,

    I think this article clearly demonstrates that gross incompetence thrives even in private sector “real jobs”. Bureaucracy exists outside of government.

  11. Michael says:

    Update: As Anon hoped, the laptop has been found in the same locked office where it was “lost”. I still say the data should be treated as compromised.

    Further information:

    The computer held names, addresses and birthdates for people applying to the program, as well as driver’s license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information.