Galleries more

Videos more

Dictionary more

Risk of Data Leakage with new biometric ID card becomes clearer

15.07.2014

When the new biometric ID card was presented in Parliament, Prime Minister Ramgoolam gave two reasons why the biometric ID card and database contract had been given to a Singaporean State-headed consortium. He declared in the 9 July 2013 Parliament session:
(...) we have gone for an agreement with the Government of Singapore for two main reasons, Mr Speaker, Sir. They are known for their efficiency. They have a reputation for everything being above board. If we went to a private company, we could have done that, advertising for a private company; you would have seen all sorts of things coming up, this and that. I prefer to deal with the Government that I know and it has a reputation as being above board.
The second point is that there is an aspect of security. We want to be very sure that these data are not obtained by the people. There is an aspect of security that I would rather not have it handled by other people. I think it is important.”


What Prime Minister Ramgoolam nor the Parliamentary MMM-MSM opposition for that matter did not mention is that even States known for their concern over national security cannot guarantee the security of the central database containing personal data of their citizens.

In 2006, Israeli’s population database containing personal information of 9 million people was hacked leading to the leaking of their personal data onto the internet. This personal data included information about Israeli citizens living and dead, birth parents of hundreds and thousands of adopted Israelis (including children) and detailed medical information on individual citizens.

This happened after a contract worker in the Ministry of Welfare was fired. He had copied the database and after being fired, he passed the database to members of the criminal underworld. The stolen biometric database was sold by six separate suspects who had also made copies of the database. The database called “Agron 2006” could even be downloaded online. So it only took one disgruntled worker for the whole database to find its way on the internet.

In the last months, technicians who have developed the design, security and infrastructure for the MNIC Scheme are bragging that they are the ones who developed it. One technician who provides his name even states in his linkedin "experience" profile:

“DBA
February 2013 – Present (1 year 6 months)
Report to the PMs for overseas project such as Mauritius MNIC project, my duties and responsibilities:

1. The infrastructure design and relevant document preparation including the testing environment, UAT and Production.
2. The system design and all servers’ installation and configuration such as Linux, Windows and Netware
3. The Oracle database Installation and the Oracle Data Guard Configuration.
4. The MS SQL Server installation and SQL Server Mirroring Configation
5. All servers’ backup strategy design and implementation
6. Provide the system security audit solution”

Others are also stating in their linkedin profiles what software or hardware they actually designed in the MNIC project.

Now that this information has been made public, it is easy to see how a way could be found into the database through the use of threat or enticement methods on individual technicians who are now publicly known. These methods are tried and tested ones habitually used in “crime underworld” quarters.