Biometric data breach: Database exposes fingerprints, facial recognition data of 1 million people

A breach of a biometric database recently exposed 28 million records, including fingerprints of more than 1 million people.

That raises a question: Could cybercriminals use biometric data to commit identity theft or other crimes?

The answer is possibly yes.

Biometric data is personal information. Your Social Security number is personal information. Your email address, your financial account information, and your username-and-password combinations are all personal information.

Cybercriminals who access any of that information could potentially use it to commit identity theft — potentially entering a secured building while pretending to be you.

Biometrics is the digital representation of physical features that identify you. That sounds more complex than the nine digits printed on your Social Security card. But in both cases, it’s personal information unique to you.

Biometric data breach: What happened

Here’s a look at the recent biometrics breach, along with tips on what you can do to help protect your biometric information.

Breach name: BioStar 2, a Suprema-based security platform.

Date discovered: August 5, 2019.

Date announced: August 14, 2019.

Number of records: 28 million records of over 1 million people worldwide.

Information exposed: Fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, personal details of staff.

Description: Security researchers with Vpnmentor discovered the unencrypted database. It belongs to Suprema, a global biometrics, security and identity company.

Thousands of companies use BioStar 2, Suprema’s web-based security platform, which is a biometrics lock system. It uses fingerprints and facial recognition to give a company’s employees access to buildings, offices, and other facilities.

Security researchers say BioStar’s database was unprotected, meaning someone could access the information and potentially steal it.

What are the risks in a biometric data breach?

Biometric information is part of your identity. Unlike a password, it can’t be changed. When cybercriminals access biometric data — fingerprints, retina, facial, or voice — they gain information which can be linked to your identity forever.

A cybercriminal might try to use your biometric data at a building where you legitimately use it to gain entry — say, with your fingerprint.

Your biometric data likely won’t help cybercriminals open a credit account in your name. But biometric information has other applications. For instance, in some places, it’s used for boarding a plane. And the number of applications for biometric data is likely to increase.

So what can you do now?

Tips to help protect your biometric data

Your personally identifiable information is usually stored in databases, and there’s not much you can do to prevent an accidental or intentional breach.

But just as it’s a good idea to not share your Social Security number unless absolutely necessary, you can take steps to limit who collects your biometric data.

Tip 1: Rarely share your biometric data

If an employer or anyone else asks to collect your biometric data, check to see if you can supply an alternate form of identification. For instance, you might be able enter an office with a building pass, instead of your fingerprint.

Tip 2: Ask questions

It’s fair to ask, “Why do you need it and how will it be used?”

Tip 3: Ask more questions

You might consider asking about how your biometric data will be protected. Where is my biometric data going to be stored? What security measures are in place? Who will have access to my data, and how long with you keep it?

Your biometric data belongs to you. Like other types of your personal information, it has value — including to cybercriminals — and it’s a good idea to protect it.