"The biometric data, unencrypted passwords, and personal data of over one million people have been discovered sitting on a publicly accessible database belonging to a company that serves the likes of the UK Metropolitan Police and banking groups."
Those were the familiar words I typed out as part of my coverage of the Biostar 2 data breach. It's the same narrative I've seen hundreds, if not thousands, of times since becoming a technology journalist in my numbness I even entertained the idea that one million wasn't too bad.
But the Biostar 2 incident is perhaps the most unique security lapse I've come across in my three years at IT Pro. Not because of how it was discovered, nor because of how many were affected. The security lapse itself is even quite common.
What's uniquely terrifying about this breach is the nature of the data that was stolen.
Data breaches and hacks have become so common now that they fail to spark the same outrage they once did. That's not to say people don't get angry when they see a national airline exposing data to the world, or a massively popular social network improperly sharing information to third parties. Yet, for all that initial vitriol, the story disappears soon after. The number of those affected is usually difficult to conceptualise and, by extension, relate to. The privacy impact on each customer also varies significantly.
The initial buzz around the headline is usually followed by the release of fixes, process improvements, and the occasional lawsuit, only for attention to eventually turn elsewhere. Only very rarely does a data incident reverberate in the minds of the public. Facebook's Cambridge Analytica scandal comes to mind. Yet for most, we forget.
And that's ok.
The reason we forget is that the data itself is mercurial. The likes of passwords, email addresses, ID numbers, web history, and user preferences, while unique to each of us, can all be changed relatively easily or at least can go out of date quickly. Financial data theft, of course, can be more damaging but, again, cards can be cancelled and security numbers scrapped. It's also true that data theft for the majority of us usually translates into the odd dodgy phishing scam; often hilarious, always dismissed.
There's also the derision that accompanies scams that exploit password reuse. Those of us that turn to password managers, mainly so that we can fire and forget whenever we sign up to a new service, can be safe in the knowledge that it's those who are uninformed or lazy in their approach to security that will feel the brunt of most hacks.
But the Biostar 2 data leak exposed us all to something a little more sinister and, I would argue, is one of the most serious vulnerabilities ever discovered. Here we had raw, non-hashed fingerprint data and facial scans sat on a vulnerable database, information that is entirely unique and (outside experimental surgery) can't be changed. We've all resigned ourselves to the fact that companies will slip up when it comes to data protection, but when that extends to the very data that makes us individuals, serious questions need to be addressed.
The incident will certainly have implications for the biometrics industry. The drive to go passwordless may improve user security and user experience, but there seems to be little consideration as to how much more sophisticated data collection and storage will need to be as a result. In fact, many companies, including previously respected household names, have demonstrated unprecedented incompetency when handling our data, and it's time we started taking that seriously.
We have to question whether we should allow software vendors to continue to digitise more and more of our immutable personal information in the pursuit of state of the art services, many of which are entirely unnecessary.
