AP Newswire is reporting this morning that CLEAR has found a laptop (also see CLEAR Press Release) that had gone missing for over a week from one of its kiosk locations that contained the “personal data” of over 30,000 enrolled members at San Francisco International Airport, and that CLEAR enrollment has been temporarily suspended pending further investigation, which should be completed by the TSA within several days.
Click on the "Read the rest of this entry" link below for more.
While this all sounds bad on the surface, it’s really no big deal. The laptop was found in the same location it had been “missing” from, so really, they never lost it or had it stolen in the first place. The so-called “personal” information that the laptops contain?
"The data in question on the laptop included a limited amount of the online applicant’s personal information, but did not include any credit information, including credit card numbers. And it did not include the applicant’s Social Security number. It also did not include any biometric information, such as the applicant’s encrypted fingerprint images or encrypted iris images (which are supplied during the second, in-person enrollment process that takes place at the airport)."
Nothing entirely different than you would find in your average phone book – no Social Security Numbers, no Credit Card numbers, no ID photos. Nothing that could be used to perform identity theft. After speaking with CLEAR’s representatives this morning, it seems that all the laptop does is provide basic identification data – name, address and phone number, and birth date (which arguably, isn't that useful to an identity thief without an SSN) the same information which is used in the Phase II kiosk enrollment process, which occurs AFTER you have provided data online that contains your vitals which are screened an initial time by the TSA as well your billing info. It’s not used to actually pass you thru the CLEAR lanes. The personal identification data on the laptop is also protected with two layers of passwords, so even if the laptop were to get stolen, it would be difficult to compromise (EDIT: although the laptop should have used encrypted drives and encrypted data as well, which I understand is something the company is now going to enforce) And without your CLEAR card which stores your biometric "favorites", you can’t be screened through their lanes anyway.
Apparently, it is CLEAR policy to have laptops bolted down or cable secured to the desks at airport-based phase II enrollment facilities so they can’t just “go missing”. However, in this instance, it appears to be a case of Murphy’s Law where what can go wrong, will go wrong -- it wasn’t bolted down, a staff member picked it up and moved it, it disappeared for a week, and they found it in the same location it originated from. God knows, it happens to the best of us.
But CLEAR needs to now ensure that EVERY piece of IT equipment that contains customer information is completely secured and just can’t go walking. The data on these systems must certainly be encrypted with the strongest cyphers that are available for commercial use. A good start would be PGP which is what many financial institutions use to give to their mobile workers that handle sensitive data.
If I were Steven Brill, I’d also strongly consider eliminating laptops entirely with local caches and using Thin Client technology that talks to a central server for whenever they actually need to access customer information. A Wyse graphical terminal with a Citrix connection to the home base is all they need. CLEAR can simply partner with the Wi-Fi ISPs in the airports and create a secure VPN tunnel to their servers in Florida and have no enrollment information stored at the kiosks at all. Yes, it introduces further complexity and introduces the possibility of a link going down occasionally when a customer wants to do a Phase II enrollment, but for piece of mind, it's worth it.
Has your confidence in CLEAR's security protocols been re-established now that you know the truth of the matter? Talk Back and let me know.