Airline Traveler Data Breach
Verified Identity Pass has signed up more than 200,000 travelers to a program that allows airline travelers to speed through security and skip many of the security checks. The catch? The traveler has to submit to a background check, provide biometric data, and provide ID in person to complete the sign up process. And, the system is only in place in 17 US airports (the list is growing, though).
How do I know? As a member of InfraGard member alliance, I have to undergo some of the same checks. InfraGard members were informed that they can sign up for the program since the government already has screened us for much of the data.
The last step in the sign-up process is to go to one of the major airports, provide some more data, before a card is issued to you.
A laptop that was used at the SFO Airport for that final step was stolen last week (July 26, according to the Verified Identity Pass people). The laptop data for 33,000 ‘in-process” users was not encrypted. That’s the bad news. The good news is that the data on the laptops was not Social Security Numbers, driver’s licenses, bank information, or biometric information.
If the laptop was stolen to get the names of people that passed a background check, and then use social engineering or other techniques to put together IDs of people that can get though security, well, then the attack was successful.
Until the laptop and thief are caught, it is hard to know why it was stolen, or what will happen with the information.
According to the spokesperson: “The office housing the computer was locked and there were security cameras installed around it.” Hopefully the perpetrator will be caught so the motive can be discovered.
One would also hope that all the laptop encryption vendors are calling Verified Identity Pass and offering them good deals on whole disk crypto. Failing that, Verified Identity Pass can use totally free, and effective, TrueCrypt right away.
Look for coverage on this in Episode 13 of the Data Security Podcast.