Hackers stole 5.6 million US government employee fingerprints

Office of Personnel Management 2A massive cyber hacking incident that compromised a United States federal database containing millions of personnel records also resulted in the theft of 5.6 million fingerprint records, American officials have said. Up to 21 million individual files were stolen in June of this year, when hackers broke into the computer system of the US Office of Personnel Management (OPM), which handles applications for security clearances for all agencies of the federal government. The breach gave the unidentified hackers access to the names and sensitive personal records of millions of Americans who have filed applications for security clearances —including intelligence officers.

Back in July, OPM officials told reporters that just over 1 million fingerprint records had been compromised by the cyber hack. However, a new statement issued by the White House last week said that the actual number of stolen fingerprints from the OPM database was closer to 5.6 million. In a subsequent statement, the OPM said there was little that the hackers could do with the fingerprint records, and that the potential for exploitation was “currently limited”. But it added that, as technology continued to be developed, the risk of abuse of the stolen fingerprint records could increase. Therefore, an interagency working group would be put together to “review the potential ways adversaries could misuse fingerprint data now and in the future”, the OPM statement said. It added that the group would be staffed with fingerprint specialists for the Federal Bureau of Investigation, the Department of Defense and the Department of Homeland Security.

External American intelligence agencies, which typically send their officers abroad posing as diplomats, and sometimes under cover identities, are reportedly concerned that certain foreign counterintelligence agencies will be able to use the stolen fingerprints to identify the true identities or professional background of US government employees stationed abroad.

Author: Ian Allen | Date: 29 September 2015 | Permalink

Pakistani spies fear up to 100 million citizen records may have been stolen

NADRAA report by Pakistan’s main intelligence agency warns that the personal records of up to 100 million Pakistanis may have been stolen by foreign intelligence agencies due to the alleged links of a software vendor with Israel. The Inter-Services Intelligence directorate (ISI), Pakistan’s premier spy agency, said that the software used by the National Data base and Registration Authority (NADRA), which issues national identity cards on behalf of the government of Pakistan, is not secure and should be replaced by an “indigenous” software product.

Established in 1998 as the National Database Organization, NADRA operates under Pakistan’s Ministry of the Interior. Its main mission is to register and fingerprint every Pakistani citizen and supply every adult in the country with a secure Computerized National Identity Card. This has proven to be a Herculean task in a country of 182 million, of whom just over half are over the age of 18. Consequently, the NADRA electronic database contains files on over 96 million Pakistanis, making it one of the world’s largest centralized databases.

But the ISI warned in a recently authored report that the NADRA database may have been compromised through the software that the agency uses to digitize and store fingerprints. According to the Pakistani newspaper Express Tribune, which published a summary of the ISI report on Monday, “the thumb-digitiser system [used by NADRA] was purchased from a French company of Israeli origin”. The report refers to the Automatic Finger Print Identification System, known as AFIS, which NADRA has been using since 2004. The software was purchased for close to $10 million from Segem (now called Morpho), a leading global vendor of identity software. The company is based in France, but the ISI report states that has connections with Israel, a country that Pakistan does not officially recognize and has no diplomatic relations with. Because of that, says the ISI report, the entire content of NADRA’s database may have been accessed by the Israeli Mossad, the United States Central Intelligence Agency, India’s Research and Analysis Wing, and other spy agencies seen as “hostile” by Islamabad.

Officials from NADRA refused to respond to the Express Tribune’s allegations, or to acknowledge that the ISI had indeed contacted the agency with concerns about the AFIS database. But a NADRA senior technical expert, who spoke anonymously to the paper, claimed that the ISI’s concerns were unfounded, since NADRA’s servers were not connected to the World Wide Web and were therefore impossible to access from the outside. Another NADRA official told the Express Tribune that Segem was the only international vendor of fingerprint recognition systems in 2004, when NADRA purchased the software product. Additionally, the Ministry of the Interior successfully sought ISI’s approval prior to purchasing the software. Last but not least, NADRA officials pointed out that the Pakistani Armed Forces are also using Segem software products.

Author: Ian Allen | Date: 15 September 2015 | Permalink