WASHINGTON - The Transportation Security Administration (TSA) announced today that it is suspending Verified Identity Pass, Inc. (VIP) - the company that operates Registered Traveler (RT) programs under the brand name Clear® - from enrolling new applicants in RT due to vulnerabilities discovered in the company's storage of Clear® applicants' sensitive personal information. The vulnerabilities came to light after an unencrypted VIP laptop computer was discovered to be missing from San Francisco International Airport (SFO) on July 26. The computer contained pre-enrollment records of approximately 33,000 customers.
TSA has instructed SFO to ensure that VIP immediately notifies the individuals impacted. In addition, SFO and all other airports using Clear® have been instructed to ensure that VIP: suspends enrollment, ceases use of any unencrypted computers and secures the devices until encryption can be installed. TSA requires RT service providers and sponsoring entities to encrypt all files containing participants' sensitive personal information. Noncompliance with such requirements can result in actions including suspension of a program and possible civil penalties.
The suspension will protect consumers waiting to enroll in RT and allow VIP to bring its procedures into compliance. VIP will be required to submit an independent audit, verifying that the required security measures are in place. TSA will verify the audits before enrollment procedures can resume. Verified Identity Pass, Inc. will be responsible for notification and resolution surrounding this incident.
Current Clear® customers will not be affected by this action and will not experience any disruption when using Registered Traveler.
TSA is contacting all RT service providers to reaffirm proper security measures are in place, including encryption of sensitive personal information of participants. TSA remains committed to partnerships with private sector entities that enhance the safety and convenience of the flying public.