As an increasing number of data leaks involving consumer information, credit card numbers, and passwords have occurred, biometric security has been advanced as a more-fool proof way to ensure encryption of data. Biometric data uses some individual biological trait, such as a fingerprint or elements of a face, to identify people.
The perceived trustworthiness of biometric data is one of the reasons that financial institutions, to use just one example, are increasingly securing accounts with voice recognition technology. Voice recognition is considered more secure than an account number or a password.
A Leak Exposes the Biometric Data of One Million People
But is biometric data, in fact, more secure? It appears not. A recently announced technology news leak in the United Kingdom exposed personal biometric data – fingerprints and facial recognition information — of one million people. The leak occurred at Suprema, a South Korean company hired to provide biometric security to U.K. banks, military contractors, gyms, medical supply companies, and the Metropolitan police.
It has since been fixed. It does not appear that hackers have used the information.
However, as several reports pointed out, a data leak like this raises a serious set of problems. Stolen credit card or account data can be reported and fixed – and the fix is generally changing the numbers involved. However, with biometric data, individuals can’t change the data (short of futuristic surgery). The exposure of data could thus be far more difficult to fix if it ever is used for nefarious purposes.
Metadata like login information can be associated with biometric data — and hacked in any biometric data breach.
The dangers posed by the two types of data stolen aren’t equal, according to Slate’s Technology section. Facial recognition data is complicated to execute a hack on, so it’s highly unlikely that the average cyber thief could use it effectively at this point.
Fingerprints, however, are an entirely different story. Fingerprints could be used to compromise both simple and more advanced security systems. (Some of the fingerprint data leaked seems to have been used to access buildings.) Some existing fingerprint scanners will actually accept a picture of a fingerprint – which, presumably, any hacker of the data in question could create.
More importantly, perhaps, the metadata associated with the fingerprints were also leaked. The metadata includes log-in information and identities associated with the fingerprints. It was unencrypted, meaning it could be read easily. This makes cyberhacking more possible, as many security systems deploy two-factor authentication, such as log-in information and a fingerprint scan. If cyber thieves were to get hold of analogous data, they could access accounts.
It’s also apparently possible for cybercriminals to develop new user accounts in the open-to-leaks database and then enter their own fingerprints. The new accounts would allow them access to the buildings involved in the leak.
The overall lesson seems to be that no form of security yet developed is fully safe from exposure of records. The real key to business leadership seems to be whether data leaks can be found in time and whether the security response can be sufficient.