https://community.isc2.org/t5/Industry-News/Large-Biometric-spill-in-UK/m-p/26877#M3369 I like the Guardian article better, but there still seem to be lots of questions to ask.<BR /><BR />A million people (maybe only a million UK citizens?) but more than 28 million<BR />records?<BR /><BR />And, as Forbes points out, this is biometric data: you can't exactly change your<BR />password. A fairly huge hit impacting the use of biometric data itself. With the<BR />number of individuals affected by this, you start to get to the point that you have<BR />to make alternative access control arrangements for a significant section of the<BR />population ...<BR /><BR />And the irony that this was a company that provided security services to police,<BR />defence agencies, and banks? Who watches the watchers who are watching the<BR />watchers?<BR /><BR />(OK, in this case it seems to be research and possibly not a real breach, but still ...)<BR /><BR />====================== (quote inserted randomly by Pegasus Mailer)<BR />rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org<BR />If you want to keep a secret from me, put it inside a Facebook<BR />event invitation.<BR />- <A href="https://twitter.com/brittanymooreok/status/567069226104786944" target="_blank">https://twitter.com/brittanymooreok/status/567069226104786944</A><BR />victoria.tc.ca/techrev/rms.htm <A href="http://twitter.com/rslade" target="_blank">http://twitter.com/rslade</A><BR /><A href="http://blogs.securiteam.com/index.php/archives/author/p1/" target="_blank">http://blogs.securiteam.com/index.php/archives/author/p1/</A><BR /><A href="https://is.gd/RotlWB" target="_blank">https://is.gd/RotlWB</A> Wed, 14 Aug 2019 19:26:02 GMT rslade 2019-08-14T19:26:02Z https://community.isc2.org/t5/Industry-News/Large-Biometric-spill-in-UK/m-p/26862#M3365 <P>I'm sure the GDPR police will be all over <A href="https://www.forbes.com/sites/zakdoffman/2019/08/14/new-data-breach-has-exposed-millions-of-fingerprint-and-facial-recognition-records-report/#e9e966046c60" target="_blank" rel="noopener">this</A>.</P><P>&nbsp;</P><P>Interesting comment towards the bottom of the article is the establishment of a system that would lower the number of databases that would house your biometrics.&nbsp; Maybe a digital medical record that also stores our biometrics and can only be accessed with our prior approval?</P> Wed, 14 Aug 2019 13:52:58 GMT https://community.isc2.org/t5/Industry-News/Large-Biometric-spill-in-UK/m-p/26862#M3365 Flyslinger2 2019-08-14T13:52:58Z https://community.isc2.org/t5/Industry-News/Large-Biometric-spill-in-UK/m-p/26866#M3366 <P>Well written article.&nbsp; The best point mentioned, "we need some kind of unified platform where we limit the numbers of parties who actually hold such data, with others accessing those trusted holders on an “as a service” basis."&nbsp; The notion of least privilege and access control never grow old.</P> Wed, 14 Aug 2019 14:56:18 GMT https://community.isc2.org/t5/Industry-News/Large-Biometric-spill-in-UK/m-p/26866#M3366 canLG0501 2019-08-14T14:56:18Z https://community.isc2.org/t5/Industry-News/Large-Biometric-spill-in-UK/m-p/26877#M3369 I like the Guardian article better, but there still seem to be lots of questions to ask.<BR /><BR />A million people (maybe only a million UK citizens?) but more than 28 million<BR />records?<BR /><BR />And, as Forbes points out, this is biometric data: you can't exactly change your<BR />password. A fairly huge hit impacting the use of biometric data itself. With the<BR />number of individuals affected by this, you start to get to the point that you have<BR />to make alternative access control arrangements for a significant section of the<BR />population ...<BR /><BR />And the irony that this was a company that provided security services to police,<BR />defence agencies, and banks? Who watches the watchers who are watching the<BR />watchers?<BR /><BR />(OK, in this case it seems to be research and possibly not a real breach, but still ...)<BR /><BR />====================== (quote inserted randomly by Pegasus Mailer)<BR />rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org<BR />If you want to keep a secret from me, put it inside a Facebook<BR />event invitation.<BR />- <A href="https://twitter.com/brittanymooreok/status/567069226104786944" target="_blank">https://twitter.com/brittanymooreok/status/567069226104786944</A><BR />victoria.tc.ca/techrev/rms.htm <A href="http://twitter.com/rslade" target="_blank">http://twitter.com/rslade</A><BR /><A href="http://blogs.securiteam.com/index.php/archives/author/p1/" target="_blank">http://blogs.securiteam.com/index.php/archives/author/p1/</A><BR /><A href="https://is.gd/RotlWB" target="_blank">https://is.gd/RotlWB</A> Wed, 14 Aug 2019 19:26:02 GMT https://community.isc2.org/t5/Industry-News/Large-Biometric-spill-in-UK/m-p/26877#M3369 rslade 2019-08-14T19:26:02Z https://community.isc2.org/t5/Industry-News/Large-Biometric-spill-in-UK/m-p/26881#M3370 <P>Looks like it goes back to the fundamentals as Ross Anderson famously stated to a Select Committee in the UK:&nbsp; <A href="https://publications.parliament.uk/pa/cm201314/cmselect/cmhaff/70/7004.htm" target="_blank">https://publications.parliament.uk/pa/cm201314/cmselect/cmhaff/70/7004.htm</A></P><P>&nbsp;</P><P>"The <STRONG>only way to ensure data does</STRONG> not <STRONG>leak is not t</STRONG>o collect it."&nbsp;</P><P>&nbsp;</P><P>Seems there is a great need for a Trust Network - but exactly who do you trust?&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Caute_cautim</P> Wed, 14 Aug 2019 20:17:57 GMT https://community.isc2.org/t5/Industry-News/Large-Biometric-spill-in-UK/m-p/26881#M3370 Caute_cautim 2019-08-14T20:17:57Z