Clear Card Security Breached
The company that’s contracted to provide Clear Card, the TSA’s handy-dandy system for screening out terrorists (or, at least, providing people willing to shell out 150 bucks slightly shorter lines) has managed to lose its customers’ sensitive data and compromise the entire system.
The company that runs the Clear system, which speeds customers through airport screenings, has been prevented from enrolling new customers by the T.S.A. after a security breach affecting some 33,000 customers.
Verified Identity System’s Clear program allows passengers to scan their smart cards at a kiosk for a speedier security screening. T.S.A. spokesperson Ann Davis told CBS an unencrypted computer storing the personal information on the cards went missing from SFO on July 26th.
Davis said VIP is a privately run company that the airport provides with background checks of enrolled customers. Now the company must suspend new enrollments, notify affected customers, and secures computers until they can install encryption.
Current Clear customers will still be able to use their cards while the breach is sorted out.
This isn’t really surprising, considering that the geniuses behind this system didn’t figure out that it would be useful to include a photo ID on the card, something that would have been obvious to the average 5-year-old. This, even though they actually take your picture for no apparent reason.
Then again, coming back from Canada Saturday morning, my wife and I had to go through U.S. Customs on the Canadian side of the border, standing in an inordinately long line. No worries: There’s a separate line for those who have submitted themselves for security pre-screening and obtained a card from TSA. D’oh: But not the Clear card but rather something called “NEXUS” which apparently only works for those going between the U.S. and Canada.
You can’t make this stuff up.
If terrorists get that data they will have 33,000 safe prescreened names to use to get on flights. Just to be safe, I suppose that now we will put all 33,000 names on the no fly list.
WTF? This is criminally incompetent for a security vendor.
fredw: Having the name (or even the rest of the data on the missing computer) isn’t sufficient. It would get them closer to their goal, but by itself, it’s not enough.
What’s disconcerting about this, is that it seems the laptop was stolen from a locked office. In other words, it seems to have been a targeted theft, though perhaps it was merely stolen for identify theft purposes rather than something scarier. Let’s hope that it was just misplaced, and will turn up later under a pile of papers, or something.
Boyd – Read the news stories on this. Those files contain ALL of the security information on the customers; name, address, dob, ssn, passport number, etc. This is an identity theft kit containing the identities of 33,000 people who are guaranteed to pass security checks. It is naive to think this is not a serious security risk. To keep us safe these names must be put on the list and subject to increased checks at the airport.
Your laptop make it through unscathed?
The screening was perfunctory even though we had a laptop for our carry-on. There was simply a very long line ahead of us even though it was early on a Saturday morning.
Just another incident in the ongoing saga of government stupidity.
Have we forgotten that 9/11 might have been prevented, if not for the gross incompetence of the government pencil-necks – who wouldn’t last until lunch in a real job, and none of whom had their worthless asses thrown out?
RE: Bush… I could not agree more.
I agree, unfortunately it’s pretty much par for the course. No large company seems to understand fundamental electronic security.
Hell, that’d be even scarier. If someone wanted to use this information to breach security, they wouldn’t let it be known that it had been taken. If it “turns up”, it still shouldn’t be trusted anymore, every last name on that list should now be suspect, more so than a random name not on the list.
I think this article clearly demonstrates that gross incompetence thrives even in private sector “real jobs”. Bureaucracy exists outside of government.
Update: As Anon hoped, the laptop has been found in the same locked office where it was “lost”. I still say the data should be treated as compromised.
Further information: