Missing laptop found, but security questions remain

The Transportation Security Administration is the latest agency to learn firsthand about the challenge of protecting personal data stored on mobile computing devices.

A vendor involved in TSA’s Registered Traveler program temporarily lost a laptop containing the unencrypted personal enrollment data of 33,000 people taking part in the program. TSA temporarily suspended the vendor, Verified Identity Pass, from enrolling new passengers in the program.

Verified Identity Pass officials said that although law enforcement investigations are ongoing, the company’s initial check showed that during the time the laptop was missing, there was no activity on that computer and the data was not accessed.

Following the report of the loss, TSA said it contacted all Registered Traveler service providers to reaffirm that required “security measures are in place, including encryption of sensitive personal information of participants.”

Some observers say the incident highlights data security vulnerability, despite a two-year effort by the federal government to improve mobile device security. Earlier this year, a National Institutes of Health agency reported that a laptop stolen from a researcher’s car contained unencrypted personal data.

“Sensitive personal information will continue to be at risk until the government requires regular third-party audits of all government and contractor information systems — mobile and fixed — that contain such information,” said Paul Kurtz, chief operating officer of Good Harbor Consulting and former member of the White House’s National Security and Homeland Security councils under presidents Bill Clinton and George W. Bush.

Jason Slibeck, chief technology officer for Clear, which is Verified Identity Pass’ Registered Traveler enrollment program, said data on the company’s servers was encrypted, as was some of the data that was stored in the enrollment kiosks located in airports around the country. However, the names, addresses, birth dates, driver’s license and alien registration numbers on the password-protected laptop computer were not encrypted.

Slibeck said the company has addressed the problem by removing all data from the kiosks and employing a full disk encryption solution. “In this one location, it was an unfortunate oversight,” he said. “But we’ve fixed it.”

James Lewis, a director at the Center for Strategic and International Studies, said that until data can be encrypted automatically, incidents like this will continue to occur.