AP: TSA Laptops With Personal Info Missing
Oct 15, 2007, 4:22 pm
#1
Original Member
Original Poster
Join Date: May 1998
Location: PDX
Programs: TSA Refusenik charter member
Posts: 15,978
AP: TSA Laptops With Personal Info Missing
http://ap.google.com/article/ALeqM5j...D8S9SORO3]LINK
WASHINGTON (AP) — Two laptop computers with detailed personal information about commercial drivers across the country who transport hazardous materials are missing and considered stolen.
The laptops belong to a contractor working for the Transportation Security Administration and contain the names, addresses, birthdays, commercial driver's license numbers and, in some cases, Social Security numbers of 3,930 people, according to an Oct. 12 letter from TSA to lawmakers.
The contractor told TSA that the personal information was deleted from the computers before they were stolen, the letter stated. But after the second laptop was stolen, TSA investigators discovered that a person with data recovery skills could recover the personal information that the contractor deleted.
News of the security breach came the day before TSA begins collecting similar personal information from employees with access to areas at the port of Wilmington, Del. The Transportation Worker Identification Credential program is set to launch in Wilmington on Tuesday. Eventually 750,000 employees across the country with access to port areas will be required to submit information for background checks.
The laptops belong to a contractor working for the Transportation Security Administration and contain the names, addresses, birthdays, commercial driver's license numbers and, in some cases, Social Security numbers of 3,930 people, according to an Oct. 12 letter from TSA to lawmakers.
The contractor told TSA that the personal information was deleted from the computers before they were stolen, the letter stated. But after the second laptop was stolen, TSA investigators discovered that a person with data recovery skills could recover the personal information that the contractor deleted.
News of the security breach came the day before TSA begins collecting similar personal information from employees with access to areas at the port of Wilmington, Del. The Transportation Worker Identification Credential program is set to launch in Wilmington on Tuesday. Eventually 750,000 employees across the country with access to port areas will be required to submit information for background checks.
Oct 15, 2007, 8:03 pm
#2
Join Date: May 2003
Location: Louisville, KY, US
Programs: QF Plat - OW EMD | DL Gold / Starwood Gold
Posts: 6,106
The TSA is doing a great job at keeping data safe.
First it was a laptop with personal info of TSA employees, now it's laptops with HazMat commercial drivers. God only knows what other laptops have disappeared that have not been reported about in the news.
This shows more irresponsibility on behalf of the TSA and they want the public to trust them keeping data secure with "Secure Flight".
Important information should never be stored on the local drive of a laptop, period. I personally make a habit of saving all sensitive information on a network drive on a server. I also have my laptop setup so that I can access the network drive when I am on the road through a secure VPN. This way if something does happen to the laptop, I don't lose any data. Secondly, if CBP or Customs in another country decides to inspect my laptop, they won't find much of anything.
Sad thing is, this isn't a very difficult practice. When on my network, my network drive just mounts as if it were any other drive - only difference is that it is physically in another room and on a machine that not only gets backed up, but has redundant systems and items (including hard drives) can be hot swapped.
The TSA is a big charlie foxtrot when it comes to secure data storage.
First it was a laptop with personal info of TSA employees, now it's laptops with HazMat commercial drivers. God only knows what other laptops have disappeared that have not been reported about in the news.
This shows more irresponsibility on behalf of the TSA and they want the public to trust them keeping data secure with "Secure Flight".
Important information should never be stored on the local drive of a laptop, period. I personally make a habit of saving all sensitive information on a network drive on a server. I also have my laptop setup so that I can access the network drive when I am on the road through a secure VPN. This way if something does happen to the laptop, I don't lose any data. Secondly, if CBP or Customs in another country decides to inspect my laptop, they won't find much of anything.
Sad thing is, this isn't a very difficult practice. When on my network, my network drive just mounts as if it were any other drive - only difference is that it is physically in another room and on a machine that not only gets backed up, but has redundant systems and items (including hard drives) can be hot swapped.
The TSA is a big charlie foxtrot when it comes to secure data storage.
Oct 15, 2007, 8:19 pm
#3
Join Date: Jul 2001
Location: DTW
Programs: Dirt Status w/ All
Posts: 5,040
Not to defend the TSA, but this is not new in the banking or any other industry. My bank just sent me a letter because someone took home a laptop that might have had my SSN on it. At least I get a free year of credit monitoring now.
Oct 16, 2007, 3:57 pm
#4
Join Date: Nov 2003
Posts: 264
The TSA is doing a great job at keeping data safe.
First it was a laptop with personal info of TSA employees, now it's laptops with HazMat commercial drivers. God only knows what other laptops have disappeared that have not been reported about in the news.
This shows more irresponsibility on behalf of the TSA and they want the public to trust them keeping data secure with "Secure Flight".
Important information should never be stored on the local drive of a laptop, period. I personally make a habit of saving all sensitive information on a network drive on a server. I also have my laptop setup so that I can access the network drive when I am on the road through a secure VPN. This way if something does happen to the laptop, I don't lose any data. Secondly, if CBP or Customs in another country decides to inspect my laptop, they won't find much of anything.
Sad thing is, this isn't a very difficult practice. When on my network, my network drive just mounts as if it were any other drive - only difference is that it is physically in another room and on a machine that not only gets backed up, but has redundant systems and items (including hard drives) can be hot swapped.
The TSA is a big charlie foxtrot when it comes to secure data storage.
First it was a laptop with personal info of TSA employees, now it's laptops with HazMat commercial drivers. God only knows what other laptops have disappeared that have not been reported about in the news.
This shows more irresponsibility on behalf of the TSA and they want the public to trust them keeping data secure with "Secure Flight".
Important information should never be stored on the local drive of a laptop, period. I personally make a habit of saving all sensitive information on a network drive on a server. I also have my laptop setup so that I can access the network drive when I am on the road through a secure VPN. This way if something does happen to the laptop, I don't lose any data. Secondly, if CBP or Customs in another country decides to inspect my laptop, they won't find much of anything.
Sad thing is, this isn't a very difficult practice. When on my network, my network drive just mounts as if it were any other drive - only difference is that it is physically in another room and on a machine that not only gets backed up, but has redundant systems and items (including hard drives) can be hot swapped.
The TSA is a big charlie foxtrot when it comes to secure data storage.
#2] This was a contractor not the Agency... You are quick on this board to bash TSA officers, but we can't take credit for this!
#3] As stated above, this can happen in any Agency, or for that matter of fact, any business.
You get to eat your words on this one...
Oct 16, 2007, 4:32 pm
#5
FlyerTalk Evangelist
Join Date: Oct 2004
Posts: 10,037
#1] This is NOT a TSA travel/security issue and does not even belong on this board.
#2] This was a contractor not the Agency... You are quick on this board to bash TSA officers, but we can't take credit for this!
#3] As stated above, this can happen in any Agency, or for that matter of fact, any business.
#2] This was a contractor not the Agency... You are quick on this board to bash TSA officers, but we can't take credit for this!
#3] As stated above, this can happen in any Agency, or for that matter of fact, any business.
Yes, this could happen to any agency. The ultimate irony is how this is going on within an agency whose supposed core competency is SECURITY. Do you not understand that?
Oct 16, 2007, 4:33 pm
#6
Join Date: May 2003
Location: Louisville, KY, US
Programs: QF Plat - OW EMD | DL Gold / Starwood Gold
Posts: 6,106
#2] This was a contractor not the Agency... You are quick on this board to bash TSA officers, but we can't take credit for this!
My comments were directed towards the administration, in case you missed it. The TSA stands for Transportation Security Administration, correct?
Does the TSA lack oversight of their contractors? Yes, I believe that to be the case.
How about the contractors the TSA used to conduct TSA hiring that (1) wasted significant money (hotel rooms at a ski resort, IIRC, as an example) (2) fails to conduct background checks in a timely manner, including verification of references. Is the TSA not responsible for them and or their actions, acting on behalf of the TSA?
The actions of contractors the TSA hires ultimately becomes the responsibility of the TSA.
#3] As stated above, this can happen in any Agency, or for that matter of fact, any business.
You get to eat your words on this one...
:cool
:cool
Oct 16, 2007, 6:23 pm
#7
Join Date: Sep 2006
Programs: CO Plat, Priority Club Plat, HH Diamond, Avis First, Hertz #1Gold
Posts: 720
The underlying problem with this event, even if TSA were not involved, is that our government has not thought out the mechanics of what to do with personal data once it is collected. Once the data becomes the property of the government, it is duty-bound to carry out certain safeguards that ensure acts like this do not occur.
Either those safeguards are not in place, or they are not being enforced. In either case, there should be a "stand down" of collecting personal data on U.S. citizens until we can be reasonably assured our information will not be lost, stolen, or compromised.
Either those safeguards are not in place, or they are not being enforced. In either case, there should be a "stand down" of collecting personal data on U.S. citizens until we can be reasonably assured our information will not be lost, stolen, or compromised.
Oct 17, 2007, 5:14 am
#8
Suspended
Join Date: Dec 2003
Posts: 8,389
While TSA is in the spotlight on this, this is a problem common to many other agencies. The VA also recently lost a laptop that contained hundreds of thousands of personal data of veterans.
The problem is that we as a society haven't learned to get a firm grip on new technologies. On the one hand, it's great to have everything conveniently transmitted with the click of a mouse. On the other hand, there are people who can either intercept those transmissions and/or tap into networks to steal that information. In most cases, it's a simple matter of inadvertently sending information to the wrong person or not taking the proper steps to secure that information.
One of my military assignments involved working with computer network security. Once a quarter, we routinely waited for certain anticipated security breeches involving classified information transmitted over non-secure networks. The cause came from subordinate officers who prepared quarterly slide presentations that contained classified information which they would email to their superiors for review/approval without taking the necessary security precautions. In many instances, they would Cc several other offices as part of protocol or other routine interoffice coordination and staffing. Once a breech occurred, we had to "sanitize" several network systems; and if the breech was reported late, then the command had to go through the pains of resolving security compromises. Point here is that I see the same occurring probably with more frequency than we dare to imagine when it comes to personal data, especially SSNs, since they are routinely used for a multitude of identification purposes. While the focus of this article is on missing laptops, what's overlooked is the potential compromise coming from just a missing jump drive, especially those that hold 1-4 GB of information.
The problem is that we as a society haven't learned to get a firm grip on new technologies. On the one hand, it's great to have everything conveniently transmitted with the click of a mouse. On the other hand, there are people who can either intercept those transmissions and/or tap into networks to steal that information. In most cases, it's a simple matter of inadvertently sending information to the wrong person or not taking the proper steps to secure that information.
One of my military assignments involved working with computer network security. Once a quarter, we routinely waited for certain anticipated security breeches involving classified information transmitted over non-secure networks. The cause came from subordinate officers who prepared quarterly slide presentations that contained classified information which they would email to their superiors for review/approval without taking the necessary security precautions. In many instances, they would Cc several other offices as part of protocol or other routine interoffice coordination and staffing. Once a breech occurred, we had to "sanitize" several network systems; and if the breech was reported late, then the command had to go through the pains of resolving security compromises. Point here is that I see the same occurring probably with more frequency than we dare to imagine when it comes to personal data, especially SSNs, since they are routinely used for a multitude of identification purposes. While the focus of this article is on missing laptops, what's overlooked is the potential compromise coming from just a missing jump drive, especially those that hold 1-4 GB of information.
Oct 17, 2007, 6:26 am
#9
Join Date: Nov 2003
Posts: 264
#1 - Does the TSA not establish data security standards for their contractors? In the end, it was contractors for the TSA. Commercial DRIVERS who DRIVE HAZMAT across the country DO play a role in travel and security. Is driving not a form of transportation in your eyes?
This board is for Travel Safety/Security... Not HAZMAT Transportation...
#2 - You may want to read what I posted again. I did not "bash" a TSO or TSA Officers (aka screeners) as a group. You claim I am quick on this board to bash "TSA Officers" - I suggest you get YOUR facts straight.
My comments were directed towards the administration, in case you missed it. The TSA stands for Transportation Security Administration, correct?
Does the TSA lack oversight of their contractors? Yes, I believe that to be the case.
How about the contractors the TSA used to conduct TSA hiring that (1) wasted significant money (hotel rooms at a ski resort, IIRC, as an example) (2) fails to conduct background checks in a timely manner, including verification of references. Is the TSA not responsible for them and or their actions, acting on behalf of the TSA?
The actions of contractors the TSA hires ultimately becomes the responsibility of the TSA.
Yes the oversight of a contractor belongs with the administration, but again that should have been specified in the original post. When I stated you bash... I should have specified that TSA haters bash, maybe not you personally.
# 3 - The potential exists, but most businesses have strict data control policies in place. It's also called common sense. When government agencies do not control secure data, be it the agency or a contractor for the agency, it indicates the agency has problems and needs to be held accountable.
TSA does have strict data control, but it probably is not enforced as well as it should!
Sorry, but I just had dinner.
This board is for Travel Safety/Security... Not HAZMAT Transportation...
#2 - You may want to read what I posted again. I did not "bash" a TSO or TSA Officers (aka screeners) as a group. You claim I am quick on this board to bash "TSA Officers" - I suggest you get YOUR facts straight.
My comments were directed towards the administration, in case you missed it. The TSA stands for Transportation Security Administration, correct?
Does the TSA lack oversight of their contractors? Yes, I believe that to be the case.
How about the contractors the TSA used to conduct TSA hiring that (1) wasted significant money (hotel rooms at a ski resort, IIRC, as an example) (2) fails to conduct background checks in a timely manner, including verification of references. Is the TSA not responsible for them and or their actions, acting on behalf of the TSA?
The actions of contractors the TSA hires ultimately becomes the responsibility of the TSA.
Yes the oversight of a contractor belongs with the administration, but again that should have been specified in the original post. When I stated you bash... I should have specified that TSA haters bash, maybe not you personally.
# 3 - The potential exists, but most businesses have strict data control policies in place. It's also called common sense. When government agencies do not control secure data, be it the agency or a contractor for the agency, it indicates the agency has problems and needs to be held accountable.
TSA does have strict data control, but it probably is not enforced as well as it should!
Sorry, but I just had dinner.
Oct 17, 2007, 6:29 am
#10
Join Date: Nov 2003
Posts: 264
Didn't think so, do you understand that?
Oct 17, 2007, 6:41 am
#11
Join Date: Jun 2007
Posts: 966
They expect us to blithely hand over all manner of personal information to them, and this is the sort of treatment it'll get? 
Just because someone ELSE screwed up doesn't make it okay for TSA to do so, as well. And I say that as a veteran who's already been exposed to (at least the potential) theft of personal information due to government inadequacy.
Oct 17, 2007, 6:48 am
#12
Suspended
Join Date: Dec 2003
Posts: 8,389
And do YOU (whatsinyourbag) not understand that, as both a government agency AND an alleged security organization which has in the past repeatedly expressed desire to accumulate and retain extensive data on all travellers, TSA can and should be held to the very highest of standards? Standards which they've demonstrated they CANNOT (or worse, WILL not) live up to? They expect us to blithely hand over all manner of personal information to them, and this is the sort of treatment it'll get?
Just because someone ELSE screwed up doesn't make it okay for TSA to do so, as well. And I say that as a veteran who's already been exposed to (at least the potential) theft of personal information due to government inadequacy.
They expect us to blithely hand over all manner of personal information to them, and this is the sort of treatment it'll get? Just because someone ELSE screwed up doesn't make it okay for TSA to do so, as well. And I say that as a veteran who's already been exposed to (at least the potential) theft of personal information due to government inadequacy.
Otherwise, you are correct: there is no excuse for this sort of lapse in security by any agency.
Oct 17, 2007, 7:14 am
#14
Join Date: Jun 2007
Posts: 966
The only flaw in your argument is your assumption that IT security is exclusively TSA's domain. It is not. Information technology security is the standard for all government agencies, regardless of their charter/mission. The same IT security standards apply to the US Post Office as they do to TSA, HUD, DOJ, DoD and an endless list of alphabet agencies throughout government.
Otherwise, you are correct: there is no excuse for this sort of lapse in security by any agency.
Otherwise, you are correct: there is no excuse for this sort of lapse in security by any agency.
This demonstration of IT security issues on the part of an agency which repeatedly makes demands for personal data strikes me as them catching the whole crate of eggs across their collective faces. Want me to trust you with my personal data, TSA? Prove you DESERVE that trust, starting with proving you can do your stated job function first, for example. So far, you've proven you DON'T deserve that trust.
Oct 17, 2007, 6:26 pm
#15
Suspended
Join Date: Dec 2003
Posts: 8,389
Never said I.T. belonged exclusively to TSA - I repeat: "Just because someone ELSE screwed up doesn't make it okay for TSA to do so, as well. And I say that as a veteran who's already been exposed to (at least the potential) theft of personal information due to government inadequacy." I explicitly stated that other agencies have screwed this up, too.
This demonstration of IT security issues on the part of an agency which repeatedly makes demands for personal data strikes me as them catching the whole crate of eggs across their collective faces. Want me to trust you with my personal data, TSA? Prove you DESERVE that trust, starting with proving you can do your stated job function first, for example. So far, you've proven you DON'T deserve that trust.
This demonstration of IT security issues on the part of an agency which repeatedly makes demands for personal data strikes me as them catching the whole crate of eggs across their collective faces. Want me to trust you with my personal data, TSA? Prove you DESERVE that trust, starting with proving you can do your stated job function first, for example. So far, you've proven you DON'T deserve that trust.