It was only yesterday that Verified Identity Pass, better known as Clear (and even better known as the guys who let travelers pass through TSA security checks much faster by flashing a card) was suspended by the TSA.  A laptop belonging to Clear—and containing the information on 33,000 people who signed up for the registered traveler program—had been reported as missing.  The laptop didn’t have hard drive encryption like AlertBoot installed on it.  Things can only go downhill from there.

Today, Clear is announcing that the laptop was found in the same secure room it went missing from.  Which beggars belief.  I mean, on the one hand, I can believe that this has happened: certainly I’ve read about enough security bungles while submitting articles for this blog, some of them quite mind‑boggling.  On the other hand, what I can’t believe is that I’m hearing due to the nature of the Clear program.

Clear is billed as the “fast pass for airport security.”  That’s because anyone who signs up with Clear gets through the airport screenings quicker (well, assuming nothing goes wrong).  That’s because a person agrees to be pre-screened; you know, so they can ensure you’re not a terrorist.  Now, whatever central servers are used to store the data used for pre‑screening—including SSNs, credit cards, and biometric information—are in a secure location, I assume (I hope).  One would also assume that any laptops used by the company and containing sensitive information would be secure as well.  While I doubt the laptop could be used to somehow change the contents in those central servers, the same information could be used in an attempt at identity theft.  It could be used for getting a mortgage loan, or for getting into the boarding area of an airport—who knows what’ll be attempted?  And isn’t that what the TSA is trying to prevent?

Now, Clear had announced yesterday that there were no credit card or SSNs on the now recovered laptop, but that names, addresses, and other personal data were.  That’s kind of a scary thought.  Sure, the laptop was recovered.  Does this guarantee data integrity?  Nope.  If there had been laptop encryption, the probability of answering “yes” would be higher, though.

I guess the Transportation Security Administration agrees.  They suspended enrollment of new members in the Clear program until encryption software is installed, according to the Orlando Sentinel.  It’s odd that such a requirement was not made prior to the event.  It seems to be a no‑brainer.

One thing of note:  Slashdot is following the case, and someone (supposedly) from Clear customer support posted a clarification.  I’m not sure the person clarified anything, though.  If anything, it seems to be indicative of the muddled thinking Clear (ha! Pun!) has been exhibiting when securing their customers’ information.  Or not securing it, as it were.  I mean, is the incidence less egregious just because only those who were in the process of applying for a Clear pass were affected, as opposed to everyone who ever applied and received a Clear card?  Especially considering that the laptop was stolen from a secure area?

There’s a line in the Godfather II that’s always given me the chills:  “If history has shown us anything, it’s that we can kill anyone.”  I’d like to change a word and state that “if history has shown us anything, it’s that anything can be stolen.”  Companies ought to take note.  My guess is that, for most companies, their physical security cannot even compare to what TSA has on hand.  They should start thinking of new ways data can be safeguarded.  Thankfully, encryption solutions are available to regular companies as well.

Related Sites:

http://cbs5.com/local/tsa.security.clear.2.788083.html