How to lose face: biometric data leaks- a new threat to Big Data systems

How biometric personal data flows: 7 striking examples over the past 5 years

In August 2019, more than 27.8 million records with a total volume of 23 GB were publicly available, including biometric information (fingerprints and photos), unencrypted user logins and passwords, visitor logs, access level information, and personal data of employees of organizations. This database belongs to the South Korean company Suprema, the developer of the Biostar 2 access control system. This product is used to control access to sensitive objects (office buildings, warehouses, etc.), where identification is performed by fingerprints and face. Biostar 2 is used in British Scotland Yard, banks, and defense companies. The reason for the leak is incorrect configuration of the remote Elasticsearch server.

Another large-scale leak of biometric data occurred in 2017 and 2018 with the largest biometrics system – the Indian Big Data project AADHAAR based on MapR and Apache Hadoop. Confidential information about a billion residents of India has been compromised. The cause of the leak in 2018 is believed to be an attack by hackers who hacked the information system of the government of Rajasthan. A year earlier, due to insufficient measures to ensure cybersecurity, including not fully formulated and implemented information security requirements, aadhaar leaked the data of 135 million people.

Back in 2017, attackers broke into the network of the American company Avanti Markets, which produces self-service kiosks for the purchase of snacks and drinks. As a result of the attack, hackers gained access not only to payment data, but also to the biometric information of the company’s customers. In February 2017, there was also a leak of biometric personal data of all voters in the Philippines. A server was stolen from the Election Commission on which fingerprints of 55 million citizens of the country were stored. A similar case occurred in Ghana in 2016, when 4 computers with biometric registration data were stolen from the election commission.

A similar incident also took place in Zimbabwe in the summer of 2018, when attackers cloned the domain of the local election commission, entered the network storage and stole information about voters: fingerprints, photographs, addresses, mobile phone numbers, and national identifier numbers.

In Russia, despite the not-so-wide spread of biometrics, such data has already managed to leak from Sberbank. In October 2019, an archive of audio recordings of conversations of bank customers with bank technical support was sold on the black data market. Thus, voice samples of users of this financial corporation flowed into the network, and speech, like fingerprints, face shots, also refers to biometric personal data.

What to expect from cybersecurity biometric Big Data systems

Kaspersky Lab experts predict that in the future, the number of biometric personal data leaks will increase even more, as biometric technologies are actively introduced into Big Data systems in various fields of activity. To reduce the damage from such incidents, in January 2020, the European Commission proposes to ban the use of face recognition technology in public places for up to 5 years. It is expected that during this period a methodology will be developed for assessing the risks of misuse of such biometric technologies and measures to reduce the likelihood of their occurrence. Thus, the European Commission intends to protect the personal data of EU citizens and their right to privacy.