Last Christmastime, I was walking around Reagan National Washington Airport. I walked by a booth for the Clear program. I asked about the program which promises to help you clear security at the airport in much less time if you provide your personal information so the TSA contractors can conduct a background check. Since I already had a Top Secret security clearance, I thought it would be no problem. However, I had some nagging doubts and decided that I should wait and see how the program works out.
Fortunately for me, I trusted my instincts. Yesterday, I read the e-mail which said that an unencrypted laptop which belonged Verified Identity Pass, Inc., the TSA contractor operating the Clear program, lost an unencrypted laptop with the personal information for over 33,000 applicants. The laptop contained names, social security numbers, passport numbers, and a host of other personal information was stolen out of a locked cabinet at the San Francisco Airport. Since the hard drive was not encrypted, the information was easily compromised. To add insult to injury to the victims is the fact that the laptop went missing on July 26th and TSA was not notified until AUG 4th. In addition, the public was not informed until the next day. As a result, the trail of finding the information thieves probably has gone cold while leaving over 33,000 people vulnerable for over a week. This is a violation of at least the spirit of privacy policies such as the Office of Management & Budget M-06-19 which sets a requirement that all compromises of Personally Identifiable Information (PII) be reported to the US-CERT within one hour of discovery. Now, TSA may shift the blame to their contractor, but it doesn't relieve them of the responsibility.
Now that the horse is out of the barn, so to speak, here are some observations on preventing or mitigating future incidents:
- Government agencies need to remember that while they may delegate the work to contractors, they can not delegate the responsibility to safeguard it. Government agencies must assess the security controls of their contractors because the public trusts the government with their information, no matter where it is physically located.
- It's 2008, there are plenty of hard drive encryption and laptop locator software programs. It should be mandatory that all laptops which contain any type of sensitive information belonging to a government agency should have hard drive encryption. Laptops are too easy to steal or lose. Some agencies have already made this a requirement.
- All laptops with sensitive information should be required to have laptop recovery software such as Computrace, GadgetTrak, PCPhoneHome, etc. This would help recovery the laptops sooner and discourage potential thieves and buyers.
- It should not matter who technically owns the laptop, the loss of laptops with PII should be reported immediately to the government client, so they can report it to US-CERT and other organizations. Yes, this will be embarrassing for the contractor and potentially cause legal problems, it is the right and ethical thing to do. The public trusts the government with PII, the government agencies deserve a chance to mitigate the loss of such information quickly. A week is far too long.
It is my sincere hope that this incident will spur further action to secure PII on both government and contractor owned laptops.
Interesting, from http://www.washingtontechnology.com/online/1_1/33253-1.html the company states:
"personal information the laptop contained is protected by two levels of password protection and does not include Social Security numbers, biometric data or credit card information, the company said"
“We don’t believe the security or privacy of these would-be members will be compromised in any way,” Steven Brill, chief executive of the company, said in a statement.
However, they go on to say:
"The information on the missing laptop includes applicants’ names, addresses, birth dates and, for some applicants, driver’s license number, passport numbers or alien registration card numbers, the company said"
It almost seems as if they are trivializing the whole thing, saying - hey, no big deal, we have a password on the machine, and thats it!
Forget disk encryption - this type of data should only be allowed on a centrally managed server - it should never be allowed on any other device - for this reason alone!
Posted by: Andrew Law | 06 August 2008 at 11:47 PM
Andrew:
Let's not forget the fact that most states use Social Security Numbers for driver’s license numbers. So just leaving off SSNs may not do any good. I agree that that we should avoid placing type of information on laptops, if possible.
Posted by: John Dittmer | 10 August 2008 at 10:55 PM
Surprise! They found the laptop in another container. Sounds more and more like an inside job.
Posted by: John Dittmer | 14 August 2008 at 02:13 PM