October 12, 2015 -
This is a guest post by Ryan Wilk, director of customer success at NuData Security.
Data breaches have consequences. Breaches of government agencies have serious and far-reaching consequences. For instance, a recent news piece reported that China is compiling a sort of hackers’ Facebook of U.S. government employees based on data stolen from multiple breaches.
The extensive breach of the U.S. Office of Personnel Management saw the leak of over 20 million current and former employees’ most personal data, containing medical records, addresses, dates of birth, job and pay history, health and life insurance, pension details and even demographic data. Frightening, isn’t it?
News of the OPM breach continues to develop, including the most recent news that 5.6 million fingerprints were also stolen in the attack, five times more than previously stated. And unlike things such as Social Security numbers that can be replaced, fingerprints are the kind of biometric measure that can be stolen and can’t be replaced. All of this leaked data is in addition to data already taken, compromising a significant amount of personal information thanks to the use of the 127-page Standard Form 86, a.k.a. the SP-86, used when assessing candidates for National Security Positions.
Security experts have been warning that they’ve seen an increase in Chinese hacking attempts of sensitive sites like the OPM, in line with what NuData’s own investigations has also seen in the last three months. Taking information stolen from that hack and adding it to data stolen in breaches like the Anthem and Blue Cross hacks, China is able to build up a robust database of information for nefarious purposes, profiling individuals they could then either impersonate or influence. A source for Fox News referred to the combined pool of data as “a private version of Facebook with much more detail about your life than even Facebook has that the Chinese now have access to.”
There is concern that not only could this private directory of U.S. government employees be used to embarrass, coerce or even impersonate staff, but that the data could filter down and affect the children and families of those affected by the breach. The stolen fingerprints are also worrying, putting field operatives at risk of discovery. Even outside of government espionage, the information they are gathering has a financial component. The more complete these profiles are, the more damaging the potential fraud.
It is easy to understand why the stolen fingerprints are worrying — biometrics are usually hailed as the ultimate measure, but physical scans like a fingerprint or a retina scan can be replicated. Spoofing fingerprints is no longer something from a sci-fi movie. It is happening and will increase more as cheaper tools make their way onto the Dark Web.
Behavior-based biometrics, however, can’t. The way we hold a phone, how fast we type, even the way we navigate a website can all be measured and create an un-stealable, un-spoofable profile. Moving to a system with a behavioral cornerstone means that the kinds of hacks perpetrated by the Chinese become less valuable and less useful when trying to leverage other systems.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.