Missing laptop grounds US Registered Traveler program
The U.S. Transportation Security Administration (TSA) has temporarily stopped a vendor from signing up new customers for its Registered Traveler program after a company laptop containing the unencrypted personal data of 33,000 people went missing at the San Francisco International Airport.
The laptop, owned by vendor Verified Identity Pass (VIP), contained personal records of customers seeking to enroll in the company's Registered Traveler program. VIP, under the brand Clear, is one of seven vendors authorized by TSA to offer Registered Traveler programs, which allow frequent air travelers to have background checks completed before they travel so that they can spend less time in security lines at airports.
VIP began notifying customers of the breach late Monday, when the TSA announced it had occurred.
The VIP laptop was reported missing July 26, the TSA said. The agency, late Tuesday, said it was suspending new enrollment in VIP's Registered Traveler program while the company takes steps to comply with TSA's security requirements. The TSA requires Registered Traveler vendors to encrypt personal data, said TSA spokeswoman Ann Davis.
"We did set up some security standards in the beginning, and encryption was critical," Davis added.
The laptop, which had two layers of password protection, was housed in a locked office with security cameras, VIP said. The laptop contained customer names, addresses, birth dates, and in some cases driver's license numbers, passport numbers or alien registration numbers, the company said.
The laptop did not contain credit card or Social Security numbers, or biometric information such as fingerprints, VIP said.
"We don't believe the security or privacy of these would-be members will be compromised in any way," VIP CEO Steven Brill said in a statement. "But out of an abundance of caution, and in keeping with a policy of always leveling with our members, we wanted to issue this warning regardless of which state law may or may not require it."
A VIP spokeswoman said the company expects the suspension of its Clear program to last about five days. She didn't answer a question asked by e-mail about why the information on the laptop was unencrypted.
VIP has about 200,000 Registered Traveler customers, and it operates at 17 airports, including airports in or near New York City; Washington, D.C.; Los Angeles; Denver; and San Jose, California. The TSA's Registered Traveler program has been operating since 2005.
VIP will be required to submit an independent audit, verifying that required security measures are in place, the TSA said. The agency will verify the audits before VIP can resume its Registered Traveler program, Davis added.
VIP is also offering affected customers free identity theft protection, the company said.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
identity theft
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
