back to article Unencrypted traveler data laptop disappears then reappears

Update The missing laptop has now been found – in the office from which it was apparently stolen. A spokesperson for Verified Identity Pass which operates the program said late yesterday the laptop was “not in an obvious location” according to local news station CBS 5. She added that the firm was investigating whether the …

COMMENTS

This topic is closed for new posts.

Page:

  1. john doe

    another example of

    war-on-terror gravy train.

  2. N

    loosing sensitive data, no longer the sole preserve of UK Govt...

    Obviously not, clearly their muppet CEO Steven Brill should realise that very strong encryption is essential to control such sensitive data.

    Get your bloody head out of the sand you half wit - pathetic excuses or lame explanations are no longer acceptable.

  3. J-Wick
    Happy

    Ha, ha!

    I always thought giving up your personal data for a fast track through airport security wasn't worth it...

    (Sorry to be insensitive to those affected).

    Also - if the laptop disappeared from a locked room, they surely can put a limit on the number of potential suspects? Interesting that that point wasn't addressed...

  4. phat shantz
    Black Helicopters

    In a post-911 world

    We're from the government and we're here to help you.

    We'll take from you your most sensitive information. We will make it available to criminals. We will charge you $100/annum for this service.

    You cannot touch us. We are the government and you are our servants. Complaints are handled in room 101 of the Ministry of Love.

    The terrorists have won.

  5. Anonymous Coward
    Coat

    So..

    We turn up at the air port and are treated like criminals for no good reason (apart from the paranoid ideas of some idiots somewhere). But those people who are treating us like criminals are letting REAL criminals apparently wander round secure areas of airports and walk off with laptops...

    I think I must be dreaming.

  6. Wokstation
    Thumb Down

    They've been taking lessons

    From the UK government, haven't they?

    Next they'll store their laptops securely, by leaving them on trains...

  7. Anonymous Coward
    Flame

    why is this data even on a laptop

    who the hell carries this sort of sensitive data around on a laptop to begin with, and for what purpose?

    this stuff should be locked up in a central database, and NEVER allowed out of a secure network.

    every day there is another instance of some retard carrying around data that should never have even been on a fricken laptop to begin with.

    i'd really really like to know what data mining or other processing of names, addresses, SSNs, etc. is happening on a stupid laptop, where the data needs to be local. a fucking spreadsheet no doubt.

    whoever 'lost' this data should be fired and sued. the TSA of all places loses this. i'm american, but christ my fellow countrymen are all complete retards...

  8. Anonymous Coward
    Pirate

    Wow, and it wasn't the Brits this time!

    Big p/blunder indeed. Very scary, too. Moreover, it sounds to me that this laptop was deliberately targeted for its information. If expedited airport security could also mean a lighter one, this kind of information could be very valuable to terrorists, I am afraid.

    Why bother with identity theft? Let's see... Presumably there are a few whole families enrolled, with young children, right? Names and birth dates give you that... What else was inside the stolen data? Oh yeah, addresses! Hmm... What could a bunch of ruthless fanatics on a crusade against America and Americans do with that information, I wonder? Yeah, those terrorists who have no qualms about destroying buildings with thousands of people inside, or beheading, uh, hostages on video. What would not a father or mother do to save the lives of their children and/or spouses? For instance... use their expedited security clearance to get a bomb into an airplane, perhaps?

    Now, there are 33,000 people on that list, all over America, I imagine. How many potential victims could there be? Would they settle with just one? Why not several? Of course, they'd like for each victim to deliver their payload, so to optimize their chances, what would a sensible person do? Exactly, do them all at the best time. And what's the best time? A sudden first blow... at the same time. Or maybe they want to be more discreet and be them who get the virgins in heaven after a blaze of horror, and use that as a diversion to slip something.

    This might sound like the plot for a 24 season and perhaps I ought to become a screenwriter instead, but it all is plausible. I would keep a close eye on those people, if I were the authorities...

    Now I hope I am not giving the terrorists any new ideas and become an unwilling and unwitting terrorist mastermind, while in actuality what I want is for people to realize what a serious blunder this was and that an scenario like this should be contemplated. I don't think the terrorist leaders are so stupid not to be able to come up with a plan like this. Maybe this is actually a very naive plan and the CIA has got their asses covered already.

    Be afraid, very afraid.

  9. Anonymous Coward
    Dead Vulture

    half-wits?

    >loosing sensitive data

    The word is "losing". Really, it's not that hard. Worth getting right when calling somebody else a "half-wit"

  10. Dan

    Loosing does make sense...

    Probably not what was intended, but it does fit with setting the data free!

    Mine's the one with the Mahi-Mahi on the back...

  11. Geoff Gale
    Thumb Down

    For Those Unaware

    SFO is one of a very few airports in the US at which the TSA function is handled by a private contractor. From the story, it appears that the laptop was the property, and therefore the responsibility of another contractor. I don't know, and it isn't clear from the story whether the contractor that owned the laptop was hired by the TSA directly or whether they had been hired by the TSA contractor at SFO. Since the quick pass programme for travelers extends beyond just SFO, it's easier to imagine that contractor linked directly to the TSA rather than the other contractor.

    Apparently, then, not only can't the TSA manage it's own, it can't manage those they hire to help them out. Of course such muddled relationships do provide the TSA with some semblance of plausible deniability when things like this happen.

  12. Anonymous Coward
    Alert

    why is this data even on a laptop?

    It's a really cheap way of doing things. We see a 1Tb hard disc, that costs around $200. Politcos/businessmen see 2 billion paper documents, that also costs around $200, it's called the e-agenda and there's no sign of it stopping.

  13. yeah, right.

    Why?

    Why is the person who put that unencrypted data on the computer not in jail? Why is their manager not in jail? Why is the CEO of that company not in jail for allowing the company to have policies where this sort of thing is done?

    Oh, right, because they have the right Washington connections, and privacy, along with anything else, is easily bought and sold in the USA. It'll get swept under the rug and quickly forgotten, with nobody getting even a minor slap on the wrist so that when the next one does it they can claim "there's no precedent".

    Idiots.

  14. NukEvil
    Joke

    @"loosing sensitive data, no longer the sole preserve of UK Govt..."

    Can't let you Brits outdo us!

  15. Gordon Fecyk
    Stop

    Stolen Laptop = Expensive Doorstop in my network

    OK, how hard is it to use offline files and the built-in encryption on Windows XP? If you absolutely have to take your work with you, and work offline from a company network, this is a good choice.

    Granted I had to do some fiddling to make sure the Group Policy settings enabling EFS and offline files encryption stayed on, but they stayed on and lusers couldn't turn them off. They also couldn't store stuff anywhere else. Including USB keys.

    With this, a stolen and later returned laptop in my care didn't compromise anything. Lots of dumb password attempts in the security log and the battery was drained, but that was it. The luser that lost it got a replacement and kept working until it came back.

  16. halfcut

    >loosing sensitive data

    Technically, that's correct. Previously the data was contained, now it's loose.

    So there.

  17. Jón Frímann Jónsson
    Alert

    Not surpriced....

    I am surprised that this didn't happen sooner. Airports appears to be (at least most of them) to be criminal heaven. It is quite common that thieves steal out of checked in luggage. That same luggage is supposed to be secured to start with, but isn't.

    How do I know that airports are thieve havens ? I got robed at Schiphol in Netherlands.

    Airport security is a myth like Bigfoot and Jesus.

  18. Anonymous Coward
    Alert

    You about to enter....

    A lot of systems are designed with good security, procedures put in place then the business people get involved and all the rules go to hell in a hand-basket...

    (cue swirly lines)

    I'd like to take you on a journey if I may....you are about to enter a world of supposedly sensible people, with strong intelligence, but zero common sense...welcome to the BUSINESS ZONE!

    Johnny Arse-Hat is a typical company director. One day Johnny goes to his favourite lackey and makes a request. "I want some data to run some reports, get the IT dept to throw come of that useful data onto my laptop.".

    So lackey goes to IT bod, "Can I have XYZ data in Excel format?".

    "No! Certainly not! We need security clearance and the security officer needs to be informed. nce we have the correct clearance we'll let it go."

    "Well Mr Big, head -honcho, director type person wants it, are you going to say no?"

    "Yes I will tell him no."

    Lacky heads to his line manager and says IT dept are being difficult and won't give up some data for Johnny director.

    Manger heads to Johnny and says need security clearance. Johnny has a quiet word with CTO and security officer, Johnny says he'll promise to be careful with it but if he doesn't get it then we could lose X millions in customers, so please make it happen before it gets to P45 time!

    CTO orders IT dept to dump data into insecure format and try to do their best to secure it on laptop.

    Laptop is destined for Johnny. Director although he may have an MBA has zero common sense and the IT dept usually have to set the passwords on laptops to something like "pas55word" or director's favourite niece's name.

    Well you know the rest....do-do-do-de-do-do-do

  19. fajensen
    Joke

    Hahahaha

    The lapdog has just been taken into the care of US Customs Goons ^^^^^^H Officials as permitted by US Homeland Defence. All is well - the US standard for security personnel is the same as 'round 'ere so only people with a criminal record will take the job due to the pathetic pay. The lapdog will appear on eBay.

  20. Greg

    @AC

    Your raving on terrorists using the list is completely and utterly stupid.

    So they'd need a list of 33.000 names and addresses so they woul dknow whom to kill? Yeah, sure. It's so hard to find random people in the US, you have to like, look at a house and say "why not this one?". Very hard, so for sure, it's better to get a list, check out each address and choose from there...

    Oh, and I heard someone stole a White Pages book from a telephone company! Just imagine, names and addresses of hundreds of thousands of people. Whoh, terrorrists could kill them all thanks to their addresses. Scary isn't it?

  21. Andy Worth

    I don't understand....

    I just don't get why companies (including the one I work for) have been encrypting laptop hard drives for years to protect industrial data, and yet the governments don't encrypt drives holding the personal data of xxxx thousands of people.

    I don't know what laws apply in the U.S. but I strongly believe that those responsible in cases like these should be held accountable under the data protection act. They have wilfully neglected to protect peoples personal data thus allowing it to be stolen and potentially used for a purpose other than the one it was collected for.

    If they started introducing criminal proceedings in cases of e-security neglect then I am sure we'd start to see an improvement.

  22. Peter Gold badge

    I like this one..

    Clear: yeah, even cleartext

    Focus: those with enough money to afford the program, i.e. those with enough money to give them the mother of all headaches in court.

    Well done!

  23. John Latham

    Hacking into passwords

    ""For it to be more than that, the thief would have to hack into two different passwords"

    WTF does that mean? Hack "into" a password? FFS.

    If the data wasn't encrypted, passwords are irrelevant.

  24. Anonymous Coward
    Anonymous Coward

    It's purely a cost thing

    As someone else has said;

    Cost of putting in a secure wi-fi (that's a contradiction in terms) in the airport covering that area, or having a secure private APN on a 3G data service in the USA - a few grand.

    Cost of putting a large hard disk into a laptop and having an offline copy of the DB - a couple of hundred quid. Why don't they encrypt it? Because the laptops they use are so shite it slows the machine down to a crawl and therefore you get Mr and Mrs impatient from Esher in the queue complaining why does it take so long, thus the operatives complain. Plus they won't pay the measly couple of hundred quid for PGP, for example.

    I know there's free versions of all these software, but you have to realise who you're dealing with here. Big corporate and FM companies are mainly wary of 'free' software and as such won't use it. They equate 'Free' with 'Back Door'. Which is a bit of a contradiction in terms.

    Knowing that the bean counters run the country and the companies, not the Information Security people, and knowing that they pay nak all to their IT staff, are you surprised that this happens every day?

    It's the lowest common denominator. Heck, when you look at the IT Facilities Management companies that manage data for the Government and the Bank, they pay crap wages because they've undercut everyone else to get the cheapest contract, and as is the old adage, you pay peanuts and you get monkeys.

  25. Norfolk Enchants Paris

    Clap 'em in irons

    Organisations leaving other people's personal details sitting around on an unencrypted laptop is akin to the bank leaving your cash on the counter for a while. It is negligent and it should be punishable by hanging or electrocution. Or perhaps a fate worse than a fate worse than death. By entering a given sphere of commercial activity, organisations have obligations which extend beyond 'profit'. It's time lawmakers punished these miscreants, rather than worrying about me using my satnav while driving (I mean, when else would I want to use it? I never walk if avoidable and it doesn't work on the tube)

  26. Glyn
    Black Helicopters

    @In a post-911 world

    Just noticed that the WTC bomb date written like that is the yank emergency services number. Think 9/11, think panic? Despite the fact it should be 11/9 but Americans are doodie heads

  27. Aitor

    ummm

    I regualry carry some 80K names and ids in my laptop.. and these are certainly NOT encrypted: i have to choose between encryption and compression, and I don't have enough space...

  28. Anonymous Coward
    Anonymous Coward

    It matters not a jot, Geoff...

    "...it isn't clear from the story whether the contractor that owned the laptop was hired by the TSA directly or whether they had been hired by the TSA contractor at SFO..."

    It doesn't matter a bean whether it was the TSA or their agent or their agent's agent. This just goes to show that the more this kind of info is collected, the more it will get pilfered.

    And the deniability is only plausible if you accept that the Federal agency involved has not responisbility for what its agents get up to. Which has to be a crock, since otherwise all the feds have to do is outsource everything and then they don't have any accountability. Or is that the way the States is heading?

  29. Graham McDermott
    Stop

    Laptop has been 'found'

    Stop the presses!

    http://www.flyclear.com/news_pr/pr/pr_laptopfound.html

    "Press Release

    Verified Identity Pass Confirms It Has Found Laptop It Reported Missing; Preliminary Investigation Indicates No Information Compromised"

    Still doesn't mitigate the fact that the data was stored unencrypted on an unsecured laptop that could (and did) go missing.

    Muppets

  30. Piers Meynell

    "It was not in an obvious location."

    Not that they're not grossly incompetent for having such sensitive information stored unencrypted or whether it simply has been returned after syphoning off the info etc, but apparently the laptop has turned up in their office:

    http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2008/08/05/financial/f102608D05.DTL&tsp=1

  31. Dave Brooker

    Delete the data

    Humans equal human error. It will always be the case so we should be able to react to disasters. Deleting the data of a lost device before somebody can get to the data must be the best way to go. Might have been tough in this case though because they don't even know if the laptop was lost.

  32. Anonymous Coward
    Anonymous Coward

    And these are the people allowed to look at our machines!!!

    With the new laws in vigor concerning Home Land Security, these are the people that can take, and give to a third party for decryption any electronic device at any US border. Hummmm.

  33. Anonymous Coward
    Boffin

    More lose vs. loose corrections

    >Technically, that's correct. Previously the data was contained, now it's loose.

    Um, still No. The OP didn't say the data was "loose", they said somebody was "loosing sensitive data", as in somebody "loosed" (or maybe loost?) it. Complete nonsense.

    I'd accept "letting loose sensitive data" or even the "data is on the loose". You could even possibly "loosen" the security around the data. But "the data is loose" -- even if that had been what the OP said, and it isn't -- implies either its numerically not very accurate, or it's rattling around the disc surface every time the laptop is moved. An interesting mental picture, but even then there is no way to contort "loosing the data" to mean "the data was made loose". At least, not in english.

    Don't make me come down there.

  34. Liam

    hmmm

    @ "Just noticed that the WTC bomb date written like that is the yank emergency services number. Think 9/11, think panic? Despite the fact it should be 11/9 but Americans are doodie heads" - wtf? where have you been the last 10 years? surely everyone else guessed that the same day? lol

    i say make companies accountable. if your ID gets lost by a company £1M fine. now, do this for every lost ID and that really fucks up the company.

    i always think its amusing that directors get stupid bonuses because their people have done what was wanted. yet they never get penalised if anyone makes a fuckup. so its just win win being a director.

  35. EnricoSuarve
    Joke

    Complete Farce

    Couple of things:

    1) Before Osama turned 'bad', before he was friends with the CIA, before all that, he was the son of a very well respected family (shake hands with the Bushes and all that good stuff) - who says that just because you aren't a threat today you won't be tomorrow?. Therefore the whole concept of a 'Clear' list is ridiculous

    2) The quality of staff enforcing the 'rules' isn't exactly sky high. I don't know what it's like in the US at the moment, but whenever I fly from the UK I take one look at the spotty reject nosing through my hand luggage and think "If you're the last line of defense between me, and criminal minds so ingenious they can make a bomb out of 101ml of water then I am so DEAD!"

    3) If you contract out work to the lowest bidder (or let's be honest your best mate), no matter how much legalese you get them to sign and whether or not you are legally liable its still YOUR FAULT when something goes wrong. You trusted someone who was not worthy of trust.

    4) The laptop was 'found' - yeah right, translation: "We are getting shit loads more flak from this than we expected and since we still have copies of the data you can't prove anything". Whether it was found or not the best that can be said is that this sensitive information is revealed to be stored on an unencrypted portable device, which they do not keep good tabs on and have no idea where it is some of the time. Serious security that!

    5) As for the statement from the company involved "Yes, it was sensitive privacy information, but not the stuff that was most sensitive", translation: "We store that on a CD...". Once you have got to the point where you have stolen 33,000 ($3.3million TSA dollars worth incidentally) records containing enough information to potentially clone supposedly 'safe' IDs, does it really matter if you didn't managed to get their sexual preferences?

    Joke since thats all this post 9/11 nonsense is - one big sick joke

  36. Jay Heiser

    ALL of these comments, and the article, miss the point

    The problem is NOT a lack of laptop encryption. The system is fundamentally flawed, and no amount of security technology or process is every going to keep exploitable data from leaking.

    Stop and think about how ludicrous it is that simple identifiers, such as names, addresses, and passport numbers, should ever be used as an authentication factor. Names and addresses are a matter of public record, and our quality of life continues to decline to the extent that we feel the need to protect the 'secrecy' of routine identifiers.

    We're becoming a strange sort of postmodern magic-based culture in which we all feel the need to use pseudonyms, fearing that anyone who has our true name consequently has power over us. And justifiably so.

    Our system is broken when just knowing some simple personal details is sufficient to take out credit in someone else's name, or apply for some other form of privilege using their identity.

    Until somebody has the courage to fix this fundamental flaw, routine encryption of laptops and memory sticks is a good idea, but it is still a temporary expedient. It is a band-aid on a gaping wound.

    Why aren't we placing the blame where an economic analysis would indicate it belongs? We need to hold credit givers, governments, and other institutions accountable when they use non-secret information as the basis for determining identity, and subsequently give credit or privileged access to the wrong person.

  37. shay mclachlan

    call me paranoid

    Call me paranoid but can anyone prove (serial no, whatever) that the 'lost' laptop and the 'found' laptop are one and the same?

    Why ask? Well I can think of 33,000 paying customers who might like to know for sure.

  38. Anonymous Coward
    Pirate

    John the ripper...

    ... while much loved, and still very valuable, has been somewhat outpaced by the new rainbow-table attacks.

  39. Zargof

    @Aitor

    "I regualry carry some 80K names and ids in my laptop.. and these are certainly NOT encrypted: i have to choose between encryption and compression, and I don't have enough space..."

    Why do you have to choose between encryption and compression? Compress and then encrypt. Problem solved.

  40. A
    Flame

    I have a solution

    I think the people responsible (and I use that word in the loosest possible sense) should be punished, but I think the punishment should fit the crime.

    I suggest the courts publish the same amount of *their* personal data online and in the paper press.

    If they lost fullnames, passport numbers, date of birth, religion; their fullnames, passport numbers, date of birth and religion should be published.

    I bet after a few managers had their details published security would go way up ;)

  41. Solomon Grundy
    Black Helicopters

    Fly Clear is Bad

    This whole gimmick has been fishy since day one. If the TSA/DHS/CIA/FBI can't make me secure Johnny CEO sure as hell can't. They really don't do anything but take all your personal info (lose it) then give you a silly little clear card that means you're not a terrorist. You are still molested by TSA, your bags are still searched, and your laptops HDD can still be copied/stolen - you just get the privilege of going through a shorter line before you are anally raped.

    The whole idea is bad. Let the Govt lose my data, not some shitty company with no morals, and as is obvious from their press release, no common sense.

    I hope it was stolen and returned. I'd be interested to see how many people with "terrorist" names were issued "Clear" cards. I bet there aren't any - maybe we'll find out soon.

  42. StopthePropaganda
    Black Helicopters

    the real villian here

    is a reactionary "watchdog" Media prying and looking for the slightest negative angle to blow across the worldwide front page.

    If it potentially makes America look stupid=launch it within minutes, no research or verification required

    If it potentially makes a Democrat/Liberal look bad=sit on it and repress it while you do "research' to "verify" until it all blows over (Edwards, anyone?)

  43. Anonymous Coward
    Coat

    @I have a solution

    >I think the people responsible (and I use that word in the loosest possible sense)

    Ye gods, it's "losest"!

    Oh, wait... as you were...

    /the one with big dictionary in the pocket

  44. Gilbert Wham

    "the thief would have to hack into two different passwords"

    Given the TSA's legendary ineptitude, I'll lay plenty of 6 to 4 that 'hacking into' one of these passwords will be no more difficulth than booting the machine and repeatedly pressing F8.

    Also, Shay Mclaclan has beaten me to my second point. I don't believe they 'found' it again for one second.

  45. Adam
    Thumb Down

    "Have to hack two passwords"

    Two options:

    1.) It's not been found - it's easier for them to lie to me

    2.) It has been returned by the thief. How on earth can they tell it wasn't compromised!

    I bet they're using a bog standard laptop with a 2.5'' HDD in it and not even stickers over the screws.

    Simple job of unscrewing the laptop, pop the drive into another machine and image it - then put it back in.

    Any system logs wouldn't even show a boot since it was stolen so it would look like it hadn't been touched.

    Mr BadMan now has all your data and can do what he likes with it - do these people think we're all as dumb as they are..............

  46. NoCo37
    Paris Hilton

    @ Adam Re:"Have to hack two passwords"

    "do these people think we're all as dumb as they are.............."

    Yes. Yes they do.

    Paris, because even she wouldn't believe this crap.

  47. Bren Flibig
    Thumb Up

    Too many kinds of stupid.

    One kind of stupid - the idea that our present government and business community is either competent or moral enough to do the job of judging who can be trusted on a plane.

    Another - the idea that becoming freer from random suspicion and harassment ought to cost money. This is more vile than stupid, like a protection racket, except with more suffering and less protection.

    Third (well, about sixth, but I'm tired of politics), is the lack of planning demonstrated by the very EXISTENCE of a non-trackable (GPS, anyone?) laptop with TERRORIST-SENSITIVE data on it. (Yeah, I know I'm over-reacting, but they do all the time. Why NOT here?)

    Fourth - assuming there WAS some secret, elaborate system that required this database to be on a portable device - an XP laptop? And an unsecured one? By "unsecured" I mean "if you can download or buy software to open it, it's not locked." It's just NOT THAT HARD to set up an OS - nearly ANY OS, including Win 3.1, for crying out loud - to secure your actual data. But you have to start.

    Fifth - the relatively random collection of personal data as identifiers, especially of a class of people some of whom have only a hypothetical fixed address, and others who keep their personal information intensely private.

    Sixth - the likely but not proven case that this was a local copy of a database, of which there are actually hundreds of copies running around, largely not in sync ;)

    Seventh - the fact that, security and encryption aside, they f***ing LOST THE LAPTOP IN THE SAME ROOM FOR A WEEK!!!

  48. Geoff Gale

    @ AC

    "Or is that the way the States is heading?"

    Well, one wonders, doesn't one.

  49. Anonymous Coward
    Alien

    You still don't geddit . . .

    Isn't there a pattern emerging here? Government and non-government agencies playing fast and 'loose' with all our data, c'mon, no-one is that stoopid. Media hype and coverage of these 'mistakes' only hasten the secret agenda - make everyone so scared that they demand another solution.

    If data isn't safe because of 'human' fallibility then I wonder what we can do about that? If personal details are that easy to come by and for ID theft to be so successful, then what can we do about that?

    The answer, and I mean it is the answer that government is looking for you sheeple to come up with, it's not the REAL answer of course, but it will be an embedded chip in everyone's brain - problem solved. All your data conveniently packaged in one place and you carry it around wherever you go.

    And who's going to hack into your brainchip? Why the government of course. After all, they are concerned about your safety and security, aren't they?

  50. Jon Kale

    @Aitor

    FYI, if someone's sold you an encryption tool that doesn't also compress the data then go back to them with a Big Stick and demand your money back. If it's not compressed then there's almost certainly redundancy in the input stream and redundancy is the enemy of effective encryption...

Page:

This topic is closed for new posts.

Other stories you might like