Press "Enter" to skip to content

Those biometric devices in Afghanistan? Not even the biggest data risk

Let’s follow up to a story I covered recently – the loss of US military biometric devices to the Taliban, with a fear that data could be used to identify Afghans who supported coalition forces.

Turns out, that’s not even the real risk.    Those devices really only hold limited access to data, which is stored on remote servers.     In reporting from MIT Technology review, turns out the bigger risk is from Afghan government databases.    This is information uses to handle paycheck fraud to pay the members of the National Army and Afghan National Police.    Who now would be potential targets for the Taliban.  

There’s no deletion policy – -and not even a plan for contingency situations.    The problem was fake identities, or “ghost soldiers”, so those trying to fraud the system for paychecks.    Data was collected from the day of enlistment, and contains not just the expected name, date, and place of birth, but much more around family relations, career specialty and military expertise.     And not all of it seems to have a clear user – an example… it asks for recruits favorite fruit and vegetable.  

And a kicker – this isn’t even the most unique or the largest database.   There are several others too.  

Why do we care?

Here’s the consulting lessons.     The thought to secure the data was never baked into the rollout, nor how the data might be used against the individuals.  And clearly there wasn’t a question of “do we really need this data”.  I’m sure there’s a reason to collect that fruit and veg data… which is clearly lost on the other side with lack of understanding and documentation for when things go wrong.

It’s this space I firmly believe is real data management opportunity – working with companies to collect the right data, only the right data, and plan for preventing things going wrong.   It’s a unique offering which I don’t get a sense is widely done.    That’s competitive differentiation…