FlyClear, the company that handles an express lane security clearance in some U.S. airports, recently lost control of a laptop that contained personal data used to verify the identity of subscribers. The company has repeatedly pointed out that no social security numbers or credit card numbers were included in the data as if that’s the only data that really matters:
The data in question on the laptop included a limited amount of the online applicant’s personal information, but did not include any credit information, including credit card numbers. And it did not include the applicant’s Social Security number.
Somehow, credit card numbers have become the standard for what constitutes identity theft. I would argue that stealing credit card numbers does not normally constitute identity theft in any meaningful sense — all the credit card number does is let the holder take money from a single account in a specific way. Calling credit card number theft identity theft is like calling physical key theft identity theft. The credit card is not used for generic identification but is instead only used for access to a specific resource, as is a house or car key.
Social security numbers are used for generic identification, though it’s a whole other conversation about how horrible they are for such a use (for instance, I’m constantly asked for my social security number as identity confirmation by organization to whom I never gave the number in the first place). In any case, the breached data included “names, addresses and birthdates for people applying to the program, as well as driver’s license, passport and green card information,” the combination of which is certainly as valuable for identification purposes as a simple social security number.
In fact, the purpose of the data on the laptop was to allow confirmation of identity without access to the network, so without evidence to the contrary, we can assume that the compromised data would allow an attacker to masquerade as one of the compromised identities. This could be bad for the owner of the identity, but it seems much, much worse for the overall security of the security clearance process, allowing an attacker with the data to sail through the minimized security clearance process identified as one of the compromised identities. I can’t find reference to this vulnerability in any of the releases by TSA or FlyClear or in any of the news coverage, but to the degree that we take the air travel security clearance process seriously, this problem seems to be very serious.
In a letter sent to its subscribers (and, according to David Weinberger, folks who did not know they had subscribed) , the company claims that the data was not compromised because there were no logins on the compromised laptop while it was lost. This is a very deceptive (or ignorant) statement, because it assumes that the only way to access the data on the laptop was to start up the laptop. In fact, were I to want the data on a laptop, I would grab the laptop, take out the hard drive, copy an image of the hard drive, reassemble it, and then replace it where I found it, hopefully without anyone noticing that it was gone. In this case, the absence of the laptop was noticed, but the lack of logins to the laptop says nothing about whether the data on the hard drive was accessed.
The company also claims that the personal data was protected by “two separate passwords.” It’s not clear (sotospeak) what systems used those two passwords. My guess is that at least one, if not both, of the passwords only protected access to the operating system login and not to the hard drive. Again, there’s no need to login to the operating system to access the data, and in fact a smart attacker will avoid logging in to the operating system to avoid the risk of damaging the data. It could be that one or both of the referenced passwords were used to encrypt the data on the hard drive; in the case the data would be protected even when accessed from another computer. But the company admits that the data was not in fact encrypted, so it seems more likely that the data itself was in the clear and easily accessed simply by copying it off the drive.
More generally, the response of FlyClear to the data breach takes the tone of most of the data breach announcements — that there’s much ado about mostly nothing but that the mere fact that FlyClear is making the announcement is evidence that you can trust them with your data:
We take the protection of your privacy extremely seriously at Clear. That’s why we announced on Tuesday that a laptop from our office at the San Francisco Airport containing a small part of some applicants’ pre-enrollment information (but not Social Security numbers or credit card information) recently went missing. … We are sorry that this theft of a computer containing a limited amount of applicant information occurred, and we apologize for the concern that the publicity surrounding our public announcement might have caused. But in an abundance of caution, both we and the Transportation Security Administration treated this unaccounted-for laptop as a serious potential breach.
Notice the emphasis on the small amount of data (though it seems to have contained data highly useful for identity theft), on the seriousness of their response despite that small amount of data, on the apology for the publicity, on the fact that their response to such a minor issue constitutes an “abundance of caution.” My reaction to reading a statement like this is that they do not in fact take data security seriously at all. If they did, they would not consider it an abundance of caution to send an announcement (two weeks after the fact) to folks whose data they had lost. If my friend lent me his driver’s license and and I lost it, I don’t think he would consider me telling him about the loss an abundance of caution. In fact, if I waited two weeks to tell him, he’d justifiably be very upset and never trust me with the driver’s license (or likely anything at all) again. Doubly so if I claimed to him that he should take the loss of the license and the fact that I reported it to him just two weeks later as a sign of my abundant trustworthiness.
