UK biometric passports succumb to hack

A security expert has cracked one of the UK's new biometric passports, embarrassing the British government, which touted the passports as a way of cutting down cross-border crime and illegal immigration.

The attack, which uses a common RFID reader and customised code, siphoned data off an RFID chip from a passport in a sealed envelope, said Adam Laurie, a security consultant who has worked with RFID and Bluetooth technology. The attack would be invisible to victims, he said.

"That's the really scary thing," said Laurie, whose work was detailed in the Sunday edition of the Daily Mail newspaper. "There's no evidence of tampering. They're not going to report something has happened because they don't know."

Organisations which fail to properly secure personal data should be required to tell their customers when a breach occurs, says privacy commissioner Karen Curtis, in a broad-ranging review of data and privacy law.

Compulsory notification of data loss or exposure would "provide a strong market incentive for organisations to adequately secure databases" containing consumer information, she said.

In a 474-page submission to the Australian ALRC's privacy review, Curtis identified health information, biometrics, data matching and telecommunications as key areas for reform.

The Australian Security and Intelligence Organisation and the Australian Federal Police will not need a warrant to get information held on the government's new health and welfare access card or on its related databases - including one holding the biometric data of almost all Australians - a parliamentary inquiry has heard.

In revelations that increase the chances of the access card legislation being defeated in the Senate, a federal police agent told a Senate inquiry the police would not require a warrant to see information on the access card database, if it was for the purposes of "the enforcement of the criminal law".