PC Data Security Blog

TSA fails to secure “trusted traveler” data.

Yesterday, a missing laptop with the names of 33,000 people enrolled in the Clear program — the most popular airport “trusted traveller” program, was found at SFO Airport. The laptop belonged to an employee of the TSA-contracted security firm and is said to have contained, “personal information on applicants to the program, including names, address and birth dates, and in some cases driver’s license, passport or green card numbers.”

The good news is the laptop turned up in the same office it was reported stolen from. The bad news is the alleged theft has exposed the serious vulnerabilities of a trusted security program associated with a government agency.

In a statement, the company said the information on the laptop, which was originally reported stolen from its locked office, “is secured by two levels of password protection.” Beer called the fact that the personal information itself was not encrypted “a mistake” that the company would fix.

Not encrypted? What?

Even Anheuser-Busch, (a brewery for crying out loud,) knows better than that. When one of their laptops went missing last month, potentially exposing the personal information of over 150,000 current and former employees, many of those affected could breathe easier knowing the laptop was encrypted.

So, how does a public company charged with the task of filling America’s beer mugs have better security policy than a private company charged with securing America’s airports?

This goes back to ensuring that all contractors and vendors have a sound security policy before signing up with them and putting your information at risk.

Secondly, when the physical security of airline passengers is at stake, wouldn’t it be a good idea to have a Plan B that gives an agency the option to destroy data if a breach is suspected? If that laptop hadn’t turned up, or in the case that the laptop was stolen, breached and returned, the data contained within could make it easier for dangerous people to travel undetected. This puts anyone who travels by plane at risk.

Not even Google is immune to security threats.

Earlier this month, a major breach was reported when a third-party employee benefits administrator’s office was burglarized and part of the theft included personal employee data. Data breaches happen all the time, but this particular incident raised some eyebrows because it happened to Google.

Turns out the company Google had entrusted with administering benefits to its employees and protecting their personal information is just as vulnerable as everybody else to this type of risk. A company like Google must prove its ability to secure user data on a daily basis, or they won’t have users. So why, then, would they not ensure such security measures are being taken by third-party vendors to secure employee data?

The problem is more common than we’d all like to admit. It can happen to anyone who hands over their employees’ or clients’ personal information to a third-party vendor. And is that vendor to blame when the information is breached? Yes and no. The responsibility is still on the company its employees and clients trusted to secure their data, regardless of where that data travels along the B2B highway.

Bottom line: vendors, contractors, and service providers should be measured not only by the quality/value of their services but by their diligence in maintaining the privacy of the custodial data they’ve taken responsibility for.  When considering a vendor, add a sound security policy to the items you value. You won’t be sorry.