The U.S. Transportation Security Administration (TSA) has temporarily stopped a vendor from signing up new customers for its Registered Traveler program after a company laptop containing the unencrypted personal data of 33,000 people went missing at the San Francisco International Airport.
The laptop, owned by vendor Verified Identity Pass (VIP), contained personal records of customers seeking to enroll in the company’s Registered Traveler program. VIP, under the brand Clear, is one of seven vendors authorized by TSA to offer Registered Traveler programs, which allow frequent air travelers to have background checks completed before they travel so that they can spend less time in security lines at airports.
VIP began notifying customers of the breach late Monday, when the TSA announced it had occurred.
The VIP laptop was reported missing July 26, the TSA said. The agency, late Tuesday, said it was suspending new enrollment in VIP’s Registered Traveler program while the company takes steps to comply with TSA’s security requirements. The TSA requires Registered Traveler vendors to encrypt personal data, said TSA spokeswoman Ann Davis.
“We did set up some security standards in the beginning, and encryption was critical,” Davis added.
The laptop, which had two layers of password protection, was housed in a locked office with security cameras, VIP said. The laptop contained customer names, addresses, birth dates, and in some cases driver’s license numbers, passport numbers or alien registration numbers, the company said.
The laptop did not contain credit card or Social Security numbers, or biometric information such as fingerprints, VIP said.
“We don’t believe the security or privacy of these would-be members will be compromised in any way,” VIP CEO Steven Brill said in a statement. “But out of an abundance of caution, and in keeping with a policy of always leveling with our members, we wanted to issue this warning regardless of which state law may or may not require it.”
A VIP spokeswoman said the company expects the suspension of its Clear program to last about five days. She didn’t answer a question asked by e-mail about why the information on the laptop was unencrypted.
VIP has about 200,000 Registered Traveler customers, and it operates at 17 airports, including airports in or near New York City; Washington, D.C.; Los Angeles; Denver; and San Jose, California. The TSA’s Registered Traveler program has been operating since 2005.
VIP will be required to submit an independent audit, verifying that required security measures are in place, the TSA said. The agency will verify the audits before VIP can resume its Registered Traveler program, Davis added.
VIP is also offering affected customers free identity theft protection, the company said.