Web: www.stevenfrischling.com — E-Mail: firstname.lastname@example.org
9/08/2008 – Stolen ‘Registered Traveler’ Laptop Found, But Is The Data Safe?
Earlier this week I had written about a laptop being stolen containing the data of more than 30,000 ‘Clear’ card users from a Verified Identity Pass (VIP) office at San Francisco International Airport (SFO). Verified Identity Pass operated the ‘Clear’ card program at 17 airports throughout the United States under the Registered Traveler Program.
I have received multiple e-mails asking why I had not written about the stolen laptop being found this past Tuesday, the day I wrote this entry: 5/08/2008 – ‘Clear’ Registered Traveler User Information Stolen
I had not written about the laptop being ‘found’ in the very office it was reported missing from 10 days earlier for a simple reason. This reason is that no one from VIP has been able to explain why VIP was delayed in reporting the theft to the US Department of Homeland Security (US DHS) and they are unable to explain where the laptop was for 10 days.
Authorities searched the office and it was clearly not in the office it went missing from. Ten days later the laptop ‘magically’ reappears in plain site in the very office it was stolen from. The laptop was clearly not ‘found’, it was not ‘recovered,’ it was returned.
Steve Brill, CEO of VIP states “We don’t believe the security or privacy of these would-be members will be compromised in any way.” Considering the laptop, containing sensitive information regarding more than 30,000 people, was unaccounted for and outside of a secure environment, for more than 10 days with completely unencrypted data how can this statement be made?
It is possible that no harm was done directly to the laptop. After speaking with a few computer security experts they all have a similar scenario suggestion that the laptop’s hard drive was simply cloned. Cloning a hard drive appears to be fairly simple according these computer experts. These experts almost all universally agree that accessing a hard drive only protected by two passwords, rather than encrypted data, would be fairly simple to crack for an experienced hacker.
So, while I am happy to hear that the laptop has been returned to VIP, I do not believe the data related to “Clear’s” Registered Traveler Program is secure. The information contained on the stolen laptop could very easily be used to steal the identity of those who had their information stored on the hard drive by VIP.