Missing laptop found, but security questions remain

The Transportation Security Administration is the latest agency to learn firsthand about the challenge of protecting personal data stored on mobile computing devices.

A vendor involved in TSA’s Registered Traveler program temporarily lost a laptop containing the unencrypted personal enrollment data of 33,000 people taking part in the program. TSA temporarily suspended the vendor, Verified Identity Pass, from enrolling new passengers in the program.

Verified Identity Pass officials said that although law enforcement investigations are ongoing, the company’s initial check showed that during the time the laptop was missing, there was no activity on that computer and the data was not accessed.

Following the report of the loss, TSA said it contacted all Registered Traveler service providers to reaffirm that required “security measures are in place, including encryption of sensitive personal information of participants.”

Some observers say the incident highlights data security vulnerability, despite a two-year effort by the federal government to improve mobile device security. Earlier this year, a National Institutes of Health agency reported that a laptop stolen from a researcher’s car contained unencrypted personal data.

“Sensitive personal information will continue to be at risk until the government requires regular third-party audits of all government and contractor information systems — mobile and fixed — that contain such information,” said Paul Kurtz, chief operating officer of Good Harbor Consulting and former member of the White House’s National Security and Homeland Security councils under presidents Bill Clinton and George W. Bush.

Jason Slibeck, chief technology officer for Clear, which is Verified Identity Pass’ Registered Traveler enrollment program, said data on the company’s servers was encrypted, as was some of the data that was stored in the enrollment kiosks located in airports around the country. However, the names, addresses, birth dates, driver’s license and alien registration numbers on the password-protected laptop computer were not encrypted.

Slibeck said the company has addressed the problem by removing all data from the kiosks and employing a full disk encryption solution. “In this one location, it was an unfortunate oversight,” he said. “But we’ve fixed it.”

James Lewis, a director at the Center for Strategic and International Studies, said that until data can be encrypted automatically, incidents like this will continue to occur.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Cybersecurity
    Shutterstock photo id 669226093 By Gorodenkoff

    The disinformation game

    The federal government is poised to bring new tools and strategies to bear in the fight against foreign-backed online disinformation campaigns, but how and when they choose to act could have ramifications on the U.S. political ecosystem.

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.