By Calvin Biesecker
The Transportation Security Administration (TSA) on Monday evening said that it has suspended Registered Traveler (RT) service provider Verified Identity Pass from enrolling new applicants in the fast pass program after the company disclosed that one of its unencrypted laptop computers containing pre-enrollment records of 33,000 customers was stolen last month.
Verified Identity, which manages the Clear brand RT program, the nation’s largest, notified TSA of the missing laptop. The company said that the pre-enrollment records were taken from a locked office at San Francisco International Airport.
The suspension has no effect on the daily use of RT lanes at participating airports and airlines for any current Clear, or other, RT members.
Verified Identity said that the stolen laptop is secured through two passwords. The information contained in the laptop includes an online applicant’s name, address, birth date, and for some, driver’s license number, passport, or alien registration card number. No credit card numbers, Social Security card numbers, and no biometric information was contained on the laptop, the company said.
TSA said that it requires all RT service providers and sponsoring entities to encrypt all files containing participants’ sensitive personal information. In addition to suspension, Verified Identity faces possible civil penalties, TSA said. An agency spokesman told Defense Daily yesterday that the incident remains under investigation.
Before Verified Identity can resume enrolling potential members in its Clear program, the company must submit an independent audit that verifies required security procedures are in place. TSA will verify the audit before enrollments can resume.
“The office housing the computer was locked and there were security cameras installed around it,” Steven Brill, Verified Identity’s CEO, said in a statement. “And while we continue to cooperate with the police investigation, we have now taken additional security measures to make sure that we have significant additional protection for this limited information, including encrypting it, which we should have done from the beginning, just the way we already encrypt all of the credit, Social Security number, biometric data and other information.”