Every time a foreigner comes to the United States, their biometric data—fingerprints and photographs—are processed into a massive database called US-VISIT. The service prevents identity fraud and helps find criminals, and countries all over the world have adopted similar systems. Now Israel's has been hacked, leading to the leak of personal information of nearly every single citizen there (even some dead ones) onto the Internet.
Authorities in the Middle Eastern country announced the arrest on Monday of a suspect responsible for the massive data theft. He's a contract worker at the Israeli Welfare Ministry who was allegedly engaged in small-scale white collar crimes after-hours and who is accused of stealing Israel's primary national biometric database in 2006. He had access to the database, which is part of the country's population registry, through his office.
The stolen database contained the name, date of birth, national identification number, and family members of 9 million Israelis, living and dead. More alarmingly, the database contained information on the birth parents of hundreds of thousands of adopted Israelis—including children—and detailed health information on individual citizens.
Shortly after being fired from his job for unrelated offenses, the unnamed suspect began passing the database around to members of Israel's surprisingly numerous Hasidic Jewish criminal underworld. According to the ultra-Orthodox Jewish Yeshiva World News, the stolen biometric database was passed around by six separate suspects, who made copies of the records in exchange for cash.
Identity theft and petty Internet crimes being what they are, the stolen biometric information quickly made its way online. One of the secondary suspects uploaded the whole of Israel's biometric records database to the Internet under the name “Agron 2006.” A quick Google search reveals numerous torrents and uploaded copies of the database easily available for download.
According to Yoram Cohen of the Israeli Justice Ministry, “Any person who handles personal information and any citizen should lose sleep over the chain of information from the now exposed theft of the Population Registry information.”
There's only one problem: Biometric databases are the future. The Indian government is building the world's largest biometric database, which will handle the personal information of nearly 1 billion citizens and give millions easy access to health care and education. Many European Union members such as Germany and the Netherlands automatically include biometric information on passport RFID chips. Here in the United States, the FBI is building a billion-dollar biometric database that will give every single police department and sheriff's office in the country instant access to millions of mugshots and fingerprints. While they might be scary and big brother-ish, biometric databases save massive amounts of taxpayer money and help streamline lumbering bureaucracies.
In the Israeli case, a valuable database was stolen through an inside job. Although the information was stolen by a white-collar criminal with an identity theft jones rather than by a hostile intelligence service or an enemy hacker, the end effect was the same.
The Federal Bureau of Investigation and the Department of Homeland Security have been less than forthcoming about efforts to secure the data contained in their respective biometric databases. However, a DHS privacy impact assessment conducted for the Coast Guard's “Biometrics at Sea” program found numerous privacy concerns and weak spots that required additional security. Both the FBI and Homeland Security's databases will retain decades' worth of personal information, photographs, and fingerprints.
In the end, the government—and taxpayers—have chosen the efficiency and cost savings of biometric databases over the privacy and civil liberties concerns that experts have raised. But as the Israeli example shows, today's biometric database could easily become tomorrow's warez download.
[Image: Flickr user Bob AuBuchon]