Emerging Threats

Biometric data breach: Database exposes fingerprints, facial recognition data of 1 million people

August 18, 2019

A breach of a biometric database recently exposed 28 million records, including fingerprints of more than 1 million people.

That raises a question: Could cybercriminals use biometric data to commit identity theft or other crimes?

The answer is possibly yes.

Biometric data is personal information. Your Social Security number is personal information. Your email address, your financial account information, and your username-and-password combinations are all personal information.

Cybercriminals who access any of that information could potentially use it to commit identity theft — potentially entering a secured building while pretending to be you.

Biometrics is the digital representation of physical features that identify you. That sounds more complex than the nine digits printed on your Social Security card. But in both cases, it’s personal information unique to you.

Biometric data breach: What happened

Here’s a look at the recent biometrics breach, along with tips on what you can do to help protect your biometric information.

Breach name: BioStar 2, a Suprema-based security platform.

Date discovered: August 5, 2019.

Date announced: August 14, 2019.

Number of records: 28 million records of over 1 million people worldwide.

Information exposed: Fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, personal details of staff.

Description: Security researchers with Vpnmentor discovered the unencrypted database. It belongs to Suprema, a global biometrics, security and identity company.

Thousands of companies use BioStar 2, Suprema’s web-based security platform, which is a biometrics lock system. It uses fingerprints and facial recognition to give a company’s employees access to buildings, offices, and other facilities.

Security researchers say BioStar’s database was unprotected, meaning someone could access the information and potentially steal it.

What are the risks in a biometric data breach?

Biometric information is part of your identity. Unlike a password, it can’t be changed. When cybercriminals access biometric data — fingerprints, retina, facial, or voice — they gain information which can be linked to your identity forever.

A cybercriminal might try to use your biometric data at a building where you legitimately use it to gain entry — say, with your fingerprint.

Your biometric data likely won’t help cybercriminals open a credit account in your name. But biometric information has other applications. For instance, in some places, it’s used for boarding a plane. And the number of applications for biometric data is likely to increase.

So what can you do now?

Tips to help protect your biometric data

Your personally identifiable information is usually stored in databases, and there’s not much you can do to prevent an accidental or intentional breach.

But just as it’s a good idea to not share your Social Security number unless absolutely necessary, you can take steps to limit who collects your biometric data.

Tip 1: Rarely share your biometric data

If an employer or anyone else asks to collect your biometric data, check to see if you can supply an alternate form of identification. For instance, you might be able enter an office with a building pass, instead of your fingerprint.

Tip 2: Ask questions

It’s fair to ask, “Why do you need it and how will it be used?”

Tip 3: Ask more questions

You might consider asking about how your biometric data will be protected. Where is my biometric data going to be stored? What security measures are in place? Who will have access to my data, and how long with you keep it?

Your biometric data belongs to you. Like other types of your personal information, it has value — including to cybercriminals — and it’s a good idea to protect it.

All-in-one protection. All for one low price.

Security for your devices, your online privacy, and your identity. NortonTM 360 with LifeLockTM

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2023 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.