Biometric Database Breach: Expert Commentary

Suprema has reportedly suffered a biometric database breach including facial recognition records, fingerprints, log data and personal information being found on “a publicly accessible database.” The damage is not yet clear, but the report claims that actual fingerprints and facial recognition records for millions of people have been exposed.


EXPERTS COMMENTS
Chris DeRamus, CTO and co-founder,  DivvyCloud
August 21, 2019
Companies continue to suffer breaches from misconfigurations
Leaving servers unprotected seems like such a simple mistake to avoid, but more and more companies suffer data breaches as the result of misconfigurations, and we read about them in the news almost every day. Suprema joins Aavgo, University of Chicago Medicine, Rubrik, Gearbest, Ascension and countless other organizations this year as victims of data leaks due to misconfigurations. The truth is, organizations are lacking the proper tools to identify and remediate insecure software configurations and deployments on a continuous basis. Automated cloud security solutions give companies the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, and they can even trigger automated remediation in real time.
Jonathan Bensen, CISO,  Balbix
August 20, 2019
Suprema's breach can result in fines under GDPR
Suprema has potentially compromised more than 27.8 million records of admin panels and dashboards, as well as individuals’ sensitive biometric data and other PII, which can be devastating for those affected. The information exposed could allow a malicious group to conduct a sophisticated social engineering attack with real-world implications, including allowing unauthorized users to access high-security areas that require biometric signatures for access. Seeing as UK citizens’ data was exposed, it will not be surprising if the South Korean-based biometrics, security and identity solutions provider faces fines under GDPR. Suprema can even face litigations from citizens in other countries, including the U.S. In fact, China-based Huazshu Group was sued last October by a Huazshu shareholder in the Central District of California after the company’s breach of 123 million records of registration data. Organizations needs to continuously monitor all IT assets across hundreds of potential attack vectors to detect vulnerabilities. This involves analyzing tens of billions of time-varying data signals, a task that is not a human-scale problem anymore. They key to thwarting future attacks is to leverage security tools that employ right AI and ML techniques to observe and analyze these data points in real time and derive insights in order to prioritize the vulnerabilities that need to get fixed first. Proactively managing risk must become the new norm and is a requirement for successful cybersecurity practice.
David Emm, Principal Security Researcher ,  Kaspersky
August 15, 2019
It’s my view that biometrics should be used as an alternative to usernames, not passwords.
“This incident underlines the risks associated with using biometric identifiers. Biometric data is just as valuable a target for cybercriminals as usernames and passwords. The theft of biometric data, and the fact that this could be used to spoof people’s identity, highlights how important it is for companies to secure customer data. This is especially important in the case of biometric data. In the event of a data breach, compromised password can be changed, but this is not true for a fingerprint or other biometric data. This raises the question of whether biometrics are a safe alternative to passwords? It’s my view that biometrics should be used as an alternative to usernames, not passwords. Whether it’s passwords or biometrics, providers should take steps to secure authentication data and other personal information. If data is stored in the clear, it provides a treasure trove for cybercriminals
Willy Leichter, VP of Marketing,  Virsec
August 15, 2019
Unfortunately, leaking of biometric source information is the inevitable next step in a long line of security blunders.
Unfortunately, leaking of biometric source information is the inevitable next step in a long line of security blunders. With any authentication method, from passwords to advanced biometrics, security is only as strong as its weakest link. With all the hype around biometrics and AI, we tend to overlook the basics – we’re entrusting increasingly unchangeable personal data to a network of third parties with little oversight, and few enforceable standards over how priceless personal data is handled. While GDPR lays out principles for data protection, these need to be swiftly and severely enforced for organizations that are clearly reckless.
Kevin Gosschalk, CEO,  Arkose Labs
August 15, 2019
This breach not only exposes individuals to fraud but also makes them indefinitely vulnerable to future attacks, as biometrics.
Suprema’s breach exposing biometric records for more than 28 million people -- including fingerprint data, facial recognition data, and face photos of users -- disrupts the long held belief that biometrics are the most effective authentication solution. This breach not only exposes individuals to fraud but also makes them indefinitely vulnerable to future attacks, as biometrics, unlike passwords or credit card numbers, cannot be changed. Today’s cybersecurity ecosystem has commoditized the sale of consumer records and credentials on the dark web, making passwords and other traditional authentication methods easily susceptible to account takeover attacks. Biometric authentication technology emerged as the go-to solution in a post-password world, but comprising the biometrics of millions of users could have long-term impact on its viability and security. We are in uncharted territory because this is the first major biometric breach to-date, and it’s unclear how immediately cybercriminals will be able to weaponize this information to the detriment of 28 million victims impacted and 5,700 organizations currently using Suprema’s biometric identity technology. What is clear, however, is that this highly-sensitive information should have never been left on an unprotected database. Data powers today’s global economy, and businesses must understand their threat landscape and implement a proactive approach to fraud prevention.
Robert Prigge, President,  Jumio
August 15, 2019
This data breach proves that biometric data is extremely valuable to fraudsters.
This data breach comes at a critical moment, as a growing number of consumers are comfortable using biometric technology on a daily basis to unlock their phone or authorize a digital payment. Storing sensitive biometric data without encryption, such as the actual fingerprint and facial recognition information compromised with this breach, is gross negligence. At the bare minimum, biometric data requires strong encryption but additional steps, like hashing and creating mathematical models that can’t be reverse engineered, should be applied to further increase data security. Retaining the actual fingerprint images is dangerous on behalf of Suprema because biometrics cannot be changed and this puts 28 million people at extreme risk. If a username or password is compromised, consumers can recover the account and update their credentials. This won’t work with biometrics — once the information is leaked, the end user is out of luck and their biometrics can be used in future attacks. This data breach proves that biometric data is extremely valuable to fraudsters, but when used on its own, isn’t enough to prove an individual’s identity. This is why liveness detection is absolutely crucial in the digital identity verification process. A liveliness check can quickly ensure an account holder is physically present during the transaction to prevent cybercriminals from spoofing a system using stolen biometric data in an attempt to acquire someone else’s privileges or access rights.
Vinay Sridhara, CTO,  Balbix
August 15, 2019
Seeing as UK citizens’ data was exposed, it will not be surprising if the South Korean-based biometrics.
Suprema has potentially compromised more than 27.8 million records of admin panels and dashboards, as well as individuals’ sensitive biometric data and other PII, which can be devastating for those affected. The information exposed could allow a malicious group to conduct a sophisticated social engineering attack with real-world implications, including allowing unauthorized users to access high-security areas that require biometric signatures for access. Seeing as UK citizens’ data was exposed, it will not be surprising if the South Korean-based biometrics, security and identity solutions provider faces fines under GDPR. Suprema can even face litigations from citizens in other countries, including the U.S. In fact, China-based Huazshu Group was sued last October by a Huazshu shareholder in the Central District of California after the company’s breach of 123 million records of registration data. Organizations needs to continuously monitor all IT assets across hundreds of potential attack vectors to detect vulnerabilities. This involves analyzing tens of billions of time-varying data signals, a task that is not a human-scale problem anymore. They key to thwarting future attacks is to leverage security tools that employ right AI and ML techniques to observe and analyze these data points in real time and derive insights in order to prioritize the vulnerabilities that need to get fixed first. Proactively managing risk must become the new norm and is a requirement for successful cybersecurity practice.

Join the Conversation

Join the Conversation


In this article