• Facebook
• Instagram
• LinkedIn
• Twitter

Military device with biometric database of 2,000 people sold on eBay for $68

When a German security researcher, Matthias Marx, found a U.S. military device for sale on eBay-a tool previously used to identify wanted persons and known terrorists during the war in Afghanistan-Marx took a bit of a gamble and placed a low bid of $68.

He probably did not expect to win, since he bid less than half the seller’s asking price, $149.95. But he won and then got an even bigger surprise, as the New York Times reports. When the device arrived with a memory card still inside, Marx was shocked to realize that he had unwittingly purchased the names, nationalities, photographs, fingerprints and iris scans of 2,632 people whose biometric data had allegedly been scanned by the U.S. military.

The device allegedly stored not only personally identifiable information (PII) of apparently suspicious individuals, but also members of the U.S. military, people in Afghanistan working with the government, and ordinary people temporarily detained at military checkpoints. Most of the data came from residents of Afghanistan and Iraq.

All of this data should have been destroyed on site, but apparently this never happened. The failure to delete the devices is consistent with the U.S. military’s occasional lapses over the past decade, which have put people who have helped the military and members of the U.S. military at risk of being identified and targeted by the Taliban, the Times reported.

It is currently not known for sure how many times the device has changed hands since it was last used in 2012 near Kandahar, Afghanistan.

Marx showed great caution with the data, refusing to share the database electronically with the Times. Instead, the Times sent a reporter to Germany to Marx’s headquarters to see the data, then contacted at least one American who confirmed that the data was probably his.

Department of Defense (DOD) press secretary Brigadier General Patrick S. Ryder told the Times he would have to examine the data before confirming its authenticity.

Obviously, it is not permissible to sell or disclose personal data for that matter of a biometric nature and of military origin, and yet, it happened.

We are in the midst of a Data Breach zone, and I assure you, the Tourism world itself may tremble at this news.

The term data breach refers to a security incident in which sensitive, protected, or confidential data is accessed, copied, transmitted, stolen, or used by an unauthorized party. Typically, a data breach occurs with a disclosure of private or confidential data within an environment without security measures (e.g., on the Web) either unintentionally or voluntarily. Such disclosure can occur as a result of:

Data breach: types and consequences

When a data breach occurs, there can be three possible side effects:

• Data breach of confidentiality, when data are subject to disclosure or access by unauthorized third parties
• Data availability breach, when data are no longer available temporarily or permanently
• Data integrity breach, when data is changed and therefore no longer reliable

Analysis of the incident must therefore focus on these three points to understand what happened to one’s data.

Following the assessment, measures to be taken and priority levels follow.

An appropriate data breach assessment process consists of the following steps:

• Understand which data are breached and which assets are affected
• Identify an order of priority and criticality of data involved and services that could possibly be discontinued
• Understand the origin of the violation and the reasons for it
• Assessing the impact of the data breach
• Make forensic copies of the systems involved
• Working to restore services and data integrity, availability and confidentiality
• Evaluate possible referrals to the Guarantor and data subjects

Most seriously, the above theft dealt with Biometric data.

Data breach: types and consequences

When a data breach occurs, there can be three possible side effects:

• Data breach of confidentiality, when data are subject to disclosure or access by unauthorized third parties
• Data availability breach, when data are no longer available temporarily or permanently
• Data integrity breach, when data is changed and therefore no longer reliable

Analysis of the incident must therefore focus on these three points to understand what happened to one’s data.

Following the assessment, measures to be taken and priority levels follow.

An appropriate data breach assessment process consists of the following steps:

• Understand which data are breached and which assets are affected
• Identify an order of priority and criticality of data involved and services that could possibly be discontinued
• Understand the origin of the violation and the reasons for it
• Assessing the impact of the data breach
• Make forensic copies of the systems involved
• Working to restore services and data integrity, availability and confidentiality
• Evaluate possible referrals to the Guarantor and data subjects

Most seriously, the above theft dealt with Biometric data.

Let’s start with the definition given by the GDPR, where it is explained that this is “personal data obtained by specific technical processing, relating to the physical, physiological or behavioral characteristics of a natural person and enabling or confirming their unique identification, such as a facial image or dactyloscopic data.”

For example, biometric data is the fingerprint used to unlock the latest generation of smartphones, but also the physical shape of the hand, face, iris or retina, and the timbre and tone of voice.

The collection of this data is done through hardware and software components that capture the information and analyze it by comparing it with previously acquired data stored in a database (usually directly on the smartphone, in the case of the, fingerprint, and not shared with the manufacturer). This makes it possible to identify the person concerned.

• Facebook
• Instagram
• LinkedIn
• Twitter

Biometric data theft in the tourism industry?

We have, already talked about the concept of tokens in the Future of Tourism and how it is linked to the concept of Blockchain and, therefore, security of user data.

Yes, because, more and more we will use biometric data ( fingerprint, facial scan, voice passwords, etc.) precisely in the use of tokens to take advantage of the hotel services you are entitled to with tokens.

Needless to say, with such a data breach, anyone could use our biometric identity to be entitled of our services in digital form. This problem could, also, be greater than you imagine because for a computer system to recognize the difference between who really owns those biometric credentials is impossible.

Imagine that you have invented the perfect system of protecting one’s identity and that this system fails; no, because of the technology, but, because of the lack of care in implementing it. No one,even legally, could easily fix it.

To give an example, it is like when the Titanic was launched, which was thought to be unsinkable, and, due safety precautions were not properly provided for, because the possibility of sinking was thought to be weak.

Same thing: You might consider it impossible for someone to have the same biometric data and consider the threat that there is an impostor with the same credentials to be null and void.

Yet, as we have seen, for $68 on Ebay I have thousands of personalities and possibilities to buy tokens, hack public systems, commit crimes, vote for "friendly" candidates with a simple click.

• Facebook
• Instagram
• LinkedIn
• Twitter