Missing laptop found, but security questions remain

The Transportation Security Administration is the latest agency to learn firsthand about the challenge of protecting personal data stored on mobile computing devices.

A vendor involved in TSA’s Registered Traveler program temporarily lost a laptop containing the unencrypted personal enrollment data of 33,000 people taking part in the program. TSA temporarily suspended the vendor, Verified Identity Pass, from enrolling new passengers in the program.

Verified Identity Pass officials said that although law enforcement investigations are ongoing, the company’s initial check showed that during the time the laptop was missing, there was no activity on that computer and the data was not accessed.

Following the report of the loss, TSA said it contacted all Registered Traveler service providers to reaffirm that required “security measures are in place, including encryption of sensitive personal information of participants.”

Some observers say the incident highlights data security vulnerability, despite a two-year effort by the federal government to improve mobile device security. Earlier this year, a National Institutes of Health agency reported that a laptop stolen from a researcher’s car contained unencrypted personal data.

“Sensitive personal information will continue to be at risk until the government requires regular third-party audits of all government and contractor information systems — mobile and fixed — that contain such information,” said Paul Kurtz, chief operating officer of Good Harbor Consulting and former member of the White House’s National Security and Homeland Security councils under presidents Bill Clinton and George W. Bush.

Jason Slibeck, chief technology officer for Clear, which is Verified Identity Pass’ Registered Traveler enrollment program, said data on the company’s servers was encrypted, as was some of the data that was stored in the enrollment kiosks located in airports around the country. However, the names, addresses, birth dates, driver’s license and alien registration numbers on the password-protected laptop computer were not encrypted.

Slibeck said the company has addressed the problem by removing all data from the kiosks and employing a full disk encryption solution. “In this one location, it was an unfortunate oversight,” he said. “But we’ve fixed it.”

James Lewis, a director at the Center for Strategic and International Studies, said that until data can be encrypted automatically, incidents like this will continue to occur.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.